Multiple Declarations in X-Frame-Options Header

Severity: Low

Invicti detected that the X-Frame-Options HTTP response header was sent more than once in a single response.


Browsers don't expect to receive more than a single X-Frame-Options header from web servers. If those expectations are not met this might result in undefined behavior. That means if the server sends more than one X-Frame-Options header in a single HTTP response, browsers might ignore the header or fallback it to DENY option. So it can change the expected behavior of the site.

If the browser ignores the multiple definition of X-Frame-Options in the response header, a broken X-Frame-Options header will expose your users to UI Redressing attacks like Clickjacking.


Make sure that only one X-Frame-Options header is sent in each HTTP response in order to prevent unexpected behavior. Additionally, you can define the frame-ancestors Content-Security-Policy directive.

Invicti Logo

Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo