X-Frame-Options Setting Malformed

Risk:
Medium

Type:
Passive

CWE:
CWE-1021

Summary: An X-Frame-Options header was present in the response but the value was not correctly set.

Solution: Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

References: https://tools.ietf.org/html/rfc7034#section-2.1

Free security scan for your website

Don't show website scan report rating on the leaderboard