logo

Database

Java Unsafe Header X Frame Options

Description

This detector identifies Java web applications that set unsafe X-Frame-Options HTTP headers, which can leave the application vulnerable to clickjacking attacks. When X-Frame-Options is set to "ALLOWALL" or similar permissive values, attackers can embed the web page in malicious frames to trick users into performing unintended actions.

Weakness:

152 - Insecure or unset HTTP headers - X-Frame Options

Category: Protocol Manipulation

Detection Strategy

    The detector triggers when Java servlet libraries (javax.servlet or jakarta.servlet) are imported in the codebase

    It identifies calls to setHeader() or addHeader() methods on HTTP response objects

    The method call must be operating on a parameter that represents an HttpServletResponse object

    The header being set must be related to X-Frame-Options configuration

Vulnerable code example

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class VulnerableXFrame extends HttpServlet {
    protected void doGet(HttpServletRequest req, HttpServletResponse response) {
        response.setHeader("X-Frame-Options", "SAMEORIGIN"); // VULNERABLE: allows same-origin framing
        response.addHeader("X-Frame-Options", "ALLOW-FROM http://example.com"); // VULNERABLE: deprecated directive...

✅ Secure code example

import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class VulnerableXFrame extends HttpServlet {
    protected void doGet(HttpServletRequest req, HttpServletResponse response) {
        response.setHeader("X-Frame-Options", "DENY"); // SAFE: prevents all framing attacks
        response.setHeader("Content-Security-Policy", "frame-ancestors 'none'"); // SAFE: modern CSP approach...