This article is a part of our Web Security Knowledge Base (back to index)
Why Multiple X-Frame-Options Header Entries can be dangerous
The ‘X-Frame-Options’ HTTP response header indicates whether the browser should be allowed to render the website in a ‘<frame>’, ‘<iframe>’, ‘<embed>’ or ‘<object>’. It is used to avoid ‘click-jacking’ ( https://developer.mozilla.org/en-US/docs/Web/Security/Types_of_attacks#Click-jacking ) attacks by ensuring that the content of the page is not embedded into other sites.
‘Multiple X-Frame-Options Header Entries’ can result in only one ‘X-Frame-Options’ HTTP header being applied and the rest of them ignored or the configuration being incorrectly applied by the web browser.
How to fix Multiple X-Frame-Options Header Entries
Ensure that your server is configured to send HTTP responses with only one ‘X-Frame-Options’ header being present.
How does ScanRepeat report Multiple X-Frame-Options Header Entries
ScanRepeat analyzes every HTTP response and reports URLs where there were multiple ‘X-Frame-Options’ HTTP headers found.
Would you like to test your application now against this problem? Sign up for our free trial