X-Frame-Options
Description:
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages
The server did not return an X-Frame-Options header with the value DENY or SAMEORIGIN, which means that this website could be at risk of a clickjacking attack.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page inside a frame or iframe. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into untrusted sites.
Related CVE:
CWE-1021: Improper Restriction of Rendered UI Layers or Frames:
The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.
A web application is expected to place restrictions on whether it is allowed to be rendered within frames, iframes, objects, embed or applet elements. Without the restrictions, users can be tricked into interacting with the application when they were not intending to.
Description of Issue:
A clickjacked page tricks a user into performing undesired actions by clicking on concealed links. On a clickjacked page, the attackers load another page over the original page in a transparent layer to trick the user into taking actions, the outcomes of which will not be the same as the user expects.
The unsuspecting users think that they are clicking visible buttons, while they are actually performing actions on the invisible page, clicking buttons of the page below the layer.
The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.
Remediation Steps:
Configure your web server to include an X-Frame-Options header and a CSP header with frame-ancestors directive. Consult Web references for more information about the possible values for this header.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
Directives:
deny: This directive stops the site from being rendered in <frame> i.e. site can’t be embedded into other sites.
sameorigin: This directive allows the page to be rendered in the frame iff frame has the same origin as the page.
allow-from uri: This directive has now became obsolete and shouldn’t be used. It is not supported by modern browser. In this the page can be rendered in the <frame> that is originated from specified uri.