Skip to main content

Site Does Not Use Best Practices Against Embedding of Malicious Content

Ankur Prasad
  • Updated
    Name in API: x_frame_options_incorrect_v2
    Severity: Low
    Factor: Application Security

     

    Summary

    The "Site Does Not Use Best Practices Against Embedding of Malicious Content" issue type highlights an incorrect or misconfigured X-Frame-Options HTTP header on a website. This header is used to control whether a webpage can be embedded within an <iframe> on a website, helping to prevent clickjacking attacks

     

    How Does It Work?

    When a browser loads a webpage, it checks the X-Frame-Options header to determine if the page can be displayed in an <iframe>. If the header is missing, incorrectly set, or improperly implemented, it can lead to security vulnerabilities or cause errors in embedding content.

    • The web applications can set the header with one of the following values:

      • DENY

      • SAMEORIGIN

      • ALLOW-FROM <uri>

    • If the header is set to DENY, it will refuse to offer the page in a frame.

    • If the header is set to SAMEORIGIN, it will only allow the page to be embedded within the same origin.

    • If the header is set to ALLOW-FROM <uri>, it will only allow the page to be embedded with the specified <uri>

    Why Is It a Risk?

    The absence or misconfiguration of the X-Frame-Options header is a security risk because it can enable clickjacking attacks, where attackers embed a legitimate website inside an invisible iframe on a malicious site. Users may unknowingly interact with the hidden iframe, leading to unintended actions like unauthorized transactions or data theft. An attacker may trick users into clicking buttons, stealing credentials, or executing harmful actions. Properly setting this header helps protect users from UI-based deception attacks.

     

    Self Evaluation

    You may validate the presence/absence of the x_frame_options on the endpoint by using the following 3rd Party tools. All can be used to confront contradictory results. However, when comparing results, ensure that the endpoint scanned by each is the same information and matches the SecurityScorecard finding.

    To check your website’s HTTP response headers use browser DevTools or security scanners like securityheaders.com. Ensure X-Frame-Options are correctly set (DENY or SAMEORIGIN). Test embedding behavior to confirm protection against clickjacking attacks.

    I - Check with Curl

    curl -I -s https://example.com
    HTTP/2 200
    content-type: text/html
    etag: "84238dfc8092e5d9c0dac8ef93371a07:1736799080.121134"
    last-modified: Mon, 13 Jan 2025 20:11:20 GMT
    cache-control: max-age=3028
    date: Thu, 27 Mar 2025 20:05:31 GMT
    alt-svc: h3=":443"; ma=93600,h3-29=":443"; ma=93600,quic=":443"; ma=93600; v="43"

    II - Check with Curl and grep

    curl -I -s https://example.com | grep -i "X-Frame-Options"

    If the header is missing, no output will be returned, indicating a potential security 
    issue

     

    Command Explanation

    • curl -I → Fetches only the HTTP headers.

    • -s → Runs silently without progress output.

    • grep -i "X-Frame-Options" → Filters and displays only the X-Frame-Options header (case-insensitive).

    securityheaders.com

    Missing Header

    By inspecting Response Headers in the Console of Web Browser

    Screenshot 2025-03-27 at 1.18.32 PM.png

     

    How to mitigate

    • The header is set to DENY or SAMEORIGIN to prevent embedding on external page.

    • Regularly update the website library

    securityheaders.com

     

    X-frame is set to SAMEORIGIN - To configure. file: add_header X-Frame-Options "SAMEORIGIN" always and restart your server

     

    curl with grep

    curl -I -s https://securityscorecard.com | grep -i "X-Frame-Options"
    x-frame-options: SAMEORIGIN

     

     

     

    Remediation

    SecurityScorecard allows the removal of findings if either of the following is true:

    • Endpoint configuration has been changed, and the X-Frame-Options Header has been added to the endpoint.
      => Select the finding and then click on the "Fixed" button, "technical_remediation".
    • The endpoint has been closed and therefore the endpoint is unreachable (or serving a 400/404)
      => Select the finding and then click on the "Fixed" button, "technical_remediation".
    • After verification (using the methods above for example), the endpoint defined in the finding does have an X-Frame-Options Header added, and in contrary to what SecurityScorecard is stating.
      => Select the finding and then click on "Other resolutions" --> "I cannot reproduce this issue and I think it’s incorrect", "false_positive".
    • There is a WAF or IDS/IPS sitting in front of the endpoint defined in the finding, and the signatures of these systems are defined to mitigate any attacks.                                                        => Select the finding and then click on "Other resolutions" --> "I have a compensating control," "compensating_control."

     

    Related articles

    Comments

    0 comments

    Please sign in to leave a comment.