⇤ Web Application Header Assessment
Optional for both HTTP/1.0 and HTTP/1.1
Properly setting X-Frame-Options helps prevent clickjacking attacks by not allowing the browser to render this page in a frame. The X-Frame-Options header is defined in RFC-7034. The only valid options for this header are DENY
and SAMEORIGIN
. Though ALLOW-FROM
is ignored by modern browsers, it does not currently negatively impact the Web Application Headers grade.
See finding messages.
- September 26, 2024: Corrected requirements, not "Required for HTTP/1.0."
- September 12, 2023: Separated finding messages.
-
October 1, 2020:
ALLOW-FROM
is no longer good security practice.
Feedback
0 comments
Please sign in to leave a comment.