Missing X-Frames-Options Header

What This Means

URLs missing an X-Frame-Options response header with a DENY or SAMEORIGIN value. This instructs the browser not to render a page within a frame, iframe, embed or object. This helps avoid ‘clickjacking’ attacks, where your content is displayed on another web page that is controlled by an attacker.

What Triggers This Issue

This issue is triggered when a URL is missing the ‘X-Frame-Options’ HTTP header with a DENY or SAMEORIGIN value. For example: X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN

How To Fix

To minimise security issues, the X-Frame-Options response header should be supplied with a DENY or SAMEORIGIN value.

← Back to Security