X-Frame-Options Defined via META (Non-compliant with Spec)
- Risk:
Medium
- Type:
- Passive
- CWE:
- 1021
- Summary
- An X-Frame-Options (XFO) META tag was found, defining XFO via a META tag is explicitly not supported by the spec (RFC 7034).
- Solution
- Ensure X-Frame-Options is set via a response header field. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.