X-Frame-Options header not found

Rule from http under security category

What is a trooper!

we have submitted your edit to the community for review! We'll review and make it live on the site in the next few hours, the internet thanks you :).

Browse another section of the knowledge base



Suggest an edit

Cancel

This rule has no content... yet.

Add content to this rule

Or just browse to view rules that have content



 

Clickjacking attacks happen when your site is loaded within an IFrame and the attacker has control over your input by layering over it. This HTTP header configures whether your site may be loaded in an IFrame or not.

The recommended value:

X-Frame-Options: SAMEORIGIN

// or

X-Frame-Options: DENY

// or

X-Frame-Options: ALLOW-FROM http://passmarked.com

SAMEORIGIN instructs that you may frame your own site while DENY says that it may not be framed at all. You may allow specific sites to frame you by using ALLOW-FROM.

How do I fix this ?

Although you may set http headers in your application code it is often simpler to configure the web server to set it properly.

// nginx
add_header X-Frame-Options SAMEORIGIN;

// apache
<IfModule mod_headers.c>
  Header set X-Frame-Options: SAMEORIGIN;
</IfModule>

Resources

Browse another section of the knowledge base



Signup icon
Ready to see how well your site scores?

Passmarked works best when you have an account. It allows you to keep a dashboard with saved data of the sites you have run through the system, we’ll alert you about important updates and you get access to the Passmarked Slack forum.

Sign up to get started