Suboptimal Anti-clickjacking Headers
What is it?
The API endpoint or server returned a response with suboptimal anti-clickjacking headers.
The following distinct issues are covered under this category:
1. Missing Anti-clickjacking Header
Summary
The response does not include either a Content-Security-Policy header with ‘frame-ancestors’ directive or a X-Frame-Options header to protect against ‘ClickJacking’ attacks.
Solution
Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all responses returned by your API.
OWASP recommends that API responses set the 'X-Frame-Options' header to 'DENY'.
2. Multiple X-Frame-Options Header Entries In Response
Summary
Multiple X-Frame-Options (XFO) headers were found in the response. A response with multiple XFO header entries may not be predictably processed by all user-agents.
Solution
Ensure only a single X-Frame-Options header is present in the response.
3. X-Frame-Options Setting Malformed
Summary
An X-Frame-Options header was present in the response but the value was not correctly set.
Solution
Ensure a valid setting is used on all responses returned by your API server. OWASP recommends that API responses set the 'X-Frame-Options' header to 'DENY'.
References
Test case FAQs
When is this test case applicable?
This is applicable for all API endpoints when the Baseline security category is enabled in test plans.
How does it work?
Responses sent by the API server are analyzed for suboptimal/missing 'X-Frame-Options' headers.
What is the solution?
Please refer to the solutions for the specific issues listed above: Missing Anti-clickjacking Header, Multiple X-Frame-Options Header Entries In Response, X-Frame-Options Setting Malformed.