Suboptimal Anti-clickjacking Headers
What is it?โ
The API endpoint or server returned a response with suboptimal anti-clickjacking headers.
The following distinct issues are covered under this category:
1. Missing Anti-clickjacking Headerโ
Summaryโ
The response does not include either a Content-Security-Policy header with โframe-ancestorsโ directive or a X-Frame-Options header to protect against โClickJackingโ attacks.
Solutionโ
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all responses returned by your API.
OWASP recommends that API responses set the 'X-Frame-Options' header to 'DENY'.
2. Multiple X-Frame-Options Header Entries In Responseโ
Summaryโ
Multiple X-Frame-Options (XFO) headers were found in the response. A response with multiple XFO header entries may not be predictably processed by all user-agents.
Solutionโ
Ensure only a single X-Frame-Options header is present in the response.
3. X-Frame-Options Setting Malformedโ
Summaryโ
An X-Frame-Options header was present in the response but the value was not correctly set.
Solutionโ
Ensure a valid setting is used on all responses returned by your API server. OWASP recommends that API responses set the 'X-Frame-Options' header to 'DENY'.
Referencesโ
Test case FAQsโ
When is this test case applicable?โ
This is applicable for all API endpoints when the Baseline security category is enabled in test plans.
How does it work?โ
Responses sent by the API server are analyzed for suboptimal/missing 'X-Frame-Options' headers.
What is the solution?โ
Please refer to the solutions for the specific issues listed above: Missing Anti-clickjacking Header, Multiple X-Frame-Options Header Entries In Response, X-Frame-Options Setting Malformed.