This article is a part of our Web Security Knowledge Base (back to index)

Why X-Frame-Options Header Not Set can be dangerous

When X-Frame-Options Header is not set your application pages can be embedded within any other website with no restrictions, e.g. to create a malicious page with your original content augmented with dangerous fragments including phishing attempts, ads, clickjacking code, etc.

The attacker may create a website mixing the original content of your application embedded in an iframe with malicious code, e.g.

<html> phishing code, clickjacking code, ads, etc. <iframe src="http://your application"></iframe> <html>

and distribute it across your application users who won’t be able to notice that they do not interact solely with your application.

How to fix X-Frame-Options Header Not Set

X-Frame-Options is an HTTP response header parameter returned by your server, it can be set with two values:

SAMEORIGIN - only websites located in the same domain can embed the returned page in an iframe

DENY - embedding in an iframe is not allowed.

How does ScanRepeat report X-Frame-Options Header Not Set

ScanRepeat reports “X-Frame-Options Header Not Set” listing all instances of URL resources returned without the header along with additional information on what should be set to fix this problem.

Would you like to test your application now against this problem? Sign up for our free trial

Scan Your Web App Now
Scan your application
for 14 days for free

No credit card is required. No commitment.

Sign Up Free