Http Missing Frame Ancestors Header
Description
Detects missing or improper frame-ancestors directive in the Content-Security-Policy (CSP) header. This vulnerability could allow attackers to embed the web page in malicious websites through iframes, potentially enabling clickjacking attacks where users unknowingly interact with the embedded content.
Weakness:
043 - Insecure or unset HTTP headers - Content-Security-Policy
Category: Protocol Manipulation
Detection Strategy
• Examines HTTP response headers for Content-Security-Policy (CSP) header
• Checks if the CSP header includes a frame-ancestors directive
• Reports a vulnerability if the frame-ancestors directive is missing or contains unsafe values like 'none' or '*'
• Triggers when examining HTTP responses that lack proper frame ancestry controls in their security headers
Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.