Multiple X-Frame-Options Header Entries

Why it can be dangerous and how to fix it

This article is a part of our Web Security Knowledge Base (back to index)

Why Multiple X-Frame-Options Header Entries can be dangerous

The ‘X-Frame-Options’ HTTP response header indicates whether the browser should be allowed to render the website in a ‘<frame>’, ‘<iframe>’, ‘<embed>’ or ‘<object>’. It is used to avoid ‘click-jacking’ ( https://developer.mozilla.org/en-US/docs/Web/Security/Types_of_attacks#Click-jacking ) attacks by ensuring that the content of the page is not embedded into other sites.

‘Multiple X-Frame-Options Header Entries’ can result in only one ‘X-Frame-Options’ HTTP header being applied and the rest of them ignored or the configuration being incorrectly applied by the web browser.

How to fix Multiple X-Frame-Options Header Entries

Ensure that your server is configured to send HTTP responses with only one ‘X-Frame-Options’ header being present.

How does ScanRepeat report Multiple X-Frame-Options Header Entries

ScanRepeat analyzes every HTTP response and reports URLs where there were multiple ‘X-Frame-Options’ HTTP headers found.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free