| VID |
210182 |
| Severity |
20 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
* References:
https://www.owasp.org/index.php/Security_Headers
* Platforms Affected:
Any operating system Any version |
| Recommendation |
* Define the following in Apache's httpd.conf file:
<IfModule mod_headers.c>
Header set Content-Security-Policy "script-src 'self' ; img-src 'self'; style-src 'self' 'unsafe-inline';connect-src http:; child-src 'unsafe-inline'"
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "1;mode=block"
Header set Cache-Control "no-store"
Header set Pragma "no-cache"
Header set X-Frame-Options SAMEORIGIN
</IfModule>
*WAS sends a header to the response using a filter.
response.setHeader("X-Frame-Options","SAMEORIGIN"); |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
