Config Files Deprecated X Frame Options Header

Description

Detects the use of deprecated X-Frame-Options header in web configuration files. The X-Frame-Options header is considered legacy and has been superseded by Content-Security-Policy (CSP) frame-ancestors directive, which provides better protection against clickjacking attacks.

Weakness:

152 - Insecure or unset HTTP headers - X-Frame Options

Category: Protocol Manipulation

Detection Strategy

• Scans XML configuration files for header definitions

• Identifies 'add' elements that specify an X-Frame-Options header (case-insensitive match)

• Reports a vulnerability when an X-Frame-Options header configuration is found in the XML

Vulnerable code example

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpProtocol>
            <customHeaders>  <!-- Vulnerable: First X-Frame-Options header -->
                <add name="X-Frame-Options" value="SAMEORIGIN" />
                <add name="X-Frame-Options" value="ALLOW-FROM https://example.com" />  <!-- Vulnerable: Duplicate header creates ambiguity -->
            </customHeaders>...

✅ Secure code example

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <remove name="X-Frame-Options" />  <!-- Remove any existing X-Frame-Options headers first -->
                <add name="X-Frame-Options" value="DENY" />  <!-- Single strict X-Frame-Options header -->
                <add name="Content-Security-Policy" value="frame-ancestors 'none';" />  <!-- Modern CSP header for defense in depth -->...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.