Missing X-Frame-Options Header

  • CWE 693
  • CAPEC 103
  • OWASP 2013-A5
  • OWASP 2017-A6

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

An attacker can load up an iframe on his own site and set your site as the source, <iframe src="http://your.site"></iframe>. Using some crafty CSS they can hide your site in the background and create some genuine looking overlays. When your visitors click on what they think is a harmless link, they're actually clicking on links on your website in the background. Browser will execute those requests in the context of the user, which could include them being logged in and authenticated to your site.


There are three possible directives for X-Frame-Options:

  1. DENY

    The page cannot be displayed in a frame, regardless of the site attempting to do so.


    The page can only be displayed in a frame on the same origin as the page itself.

  3. ALLOW-FROM uri

    The page can only be displayed in a frame on the specified origin.