⇤ Web Application Header Assessment
Required for HTTP 1.0 and HTTP 1.1
Properly setting X-Frame-Options helps prevent clickjacking attacks by not allowing the browser to render this page in a frame. The X-Frame-Options header is defined in RFC-7034. The only valid options for this header are DENY
and SAMEORIGIN
. Though ALLOW-FROM
is ignored by modern browsers, it does not currently negatively impact the Web Application Headers grade.
See finding messages.
- March 26, 2025: Corrected requirements, required for HTTP 1.0 and HTTP 1.1.
- September 12, 2023: Separated finding messages.
-
October 1, 2020:
ALLOW-FROM
is no longer good security practice.
Feedback
0 comments
Please sign in to leave a comment.