Missing X-Frame-Options Header

Severity: Low

Invicti detected a missing X-Frame-Options header which means that this website could be at risk of a clickjacking attack.

The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.


Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on a framed page when they were intending to click on the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.

Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.

  • Sending the proper X-Frame-Options in HTTP response headers that instruct the browser to not allow framing from other domains.
    • X-Frame-Options: DENY  It completely denies to be loaded in frame/iframe.
    • X-Frame-Options: SAMEORIGIN It allows only if the site which wants to load has a same origin.
    • X-Frame-Options: ALLOW-FROM URL It grants a specific URL to load itself in a iframe. However please pay attention to that, not all browsers support this.
  • Employing defensive code in the UI to ensure that the current frame is the most top level window.

Build your resistance to threats. And save hundreds of hours each month.

Get a demo See how it works