Name in API: x_frame_options_incorrect_v2
Severity: Low
Factor: Application Security
Summary
The "Site Does Not Use Best Practices Against Embedding of Malicious Content" issue type highlights the absence or misconfiguration of modern protections, such as the Content-Security-Policy (CSP) frame-ancestors directive, or the legacy X-Frame-Options HTTP header. These headers control whether a webpage can be embedded within an <iframe> or similar elements, helping to prevent clickjacking attacks by restricting unauthorized framing of web content.
How Does It Work?
When a browser loads a webpage, it checks the Content-Security-Policy (CSP) header — particularly the frame-ancestors directive — to determine whether the page can be embedded in a <frame>, <iframe>, or similar elements. This directive offers flexible, modern protection against clickjacking attacks.
Some legacy applications still use the older X-Frame-Options header, which is now deprecated but may act as a fallback. It supports the following values:
-
DENY– Completely prevents the page from being displayed in a frame. -
SAMEORIGIN– Allows the page to be embedded only if the parent is from the same origin. -
ALLOW-FROM <uri>– Intended to allow embedding only from a specific origin, but this value is deprecated and not supported by most modern browsers.
To ensure robust protection, it is strongly recommended to use Content-Security-Policy: frame-ancestors instead of relying solely on X-Frame-Options
Why Is It a Risk?
The absence or misconfiguration of the X-Frame-Options header is a security risk because it can enable clickjacking attacks, where attackers embed a legitimate website inside an invisible iframe on a malicious site. Users may unknowingly interact with the hidden iframe, leading to unintended actions like unauthorized transactions or data theft. An attacker may trick users into clicking buttons, stealing credentials, or executing harmful actions. Properly setting this header helps protect users from UI-based deception attacks.
Self Evaluation
You may validate the presence or absence of X-Frame-Options or Content-Security-Policy: frame-ancestors on the endpoint using third-party tools. These tools help verify implementation and resolve contradictory results. When comparing outputs, ensure the same endpoint is scanned and matches the SecurityScorecard finding.
To check your website’s HTTP response headers, use browser DevTools or tools like securityheaders.com. Ensure the Content-Security-Policy header includes the frame-ancestors directive. If using X-Frame-Options for legacy support, it should be set to DENY or SAMEORIGIN. Test iframe embedding behavior to confirm protection against clickjacking attacks.
I - Check with Curl
curl -I -s https://example.com
HTTP/2 200
content-type: text/html
etag: "84238dfc8092e5d9c0dac8ef93371a07:1736799080.121134"
last-modified: Mon, 13 Jan 2025 20:11:20 GMT
cache-control: max-age=3028
date: Thu, 27 Mar 2025 20:05:31 GMT
alt-svc: h3=":443"; ma=93600,h3-29=":443"; ma=93600,quic=":443"; ma=93600; v="43"II - Check with Curl and grep
curl -I -s https://example.com | grep -i "X-Frame-Options"
If the header is missing, no output will be returned, indicating a potential security
issue
Command Explanation
curl -I→ Fetches only the HTTP headers.-s→ Runs silently without progress output.grep -i "X-Frame-Options"→ Filters and displays only theX-Frame-Optionsheader (case-insensitive).
securityheaders.com
Missing Header
By inspecting Response Headers in the Console of Web Browser
How to mitigate
The header is set to DENY or SAMEORIGIN to prevent embedding on external page.
Regularly update the website library
securityheaders.com
X-frame is set to SAMEORIGIN - To configure. file: add_header X-Frame-Options "SAMEORIGIN" always and restart your server
curl with grep
curl -I -s https://securityscorecard.com | grep -i "X-Frame-Options"
x-frame-options: SAMEORIGIN
Remediation
SecurityScorecard allows the removal of findings if either of the following is true:
- Endpoint configuration has been changed, and appropriate frame embedding protections (e.g., Content-Security-Policy: frame-ancestors or X-Frame-Options) have been added to the endpoint.
=> Select the finding and then click on the "Fixed" button → "technical_remediation". - The endpoint has been closed and therefore the endpoint is unreachable (or serving a 400/404)
=> Select the finding and then click on the "Fixed" button, "technical_remediation". - After verification (e.g., using browser DevTools or external scanners), the endpoint does include a valid frame-ancestors directive in its CSP header or an appropriate X-Frame-Options value, contrary to what SecurityScorecard reports.
=> Select the finding and then click on "Other resolutions" --> "I cannot reproduce this issue and I think it’s incorrect", "false_positive". -
There is a WAF or IDS/IPS sitting in front of the endpoint defined in the finding, and the signatures of these systems are defined to mitigate any attacks.
=> Select the finding and then click on "Other resolutions" --> "I have a compensating control"