Javascript Unsafe X Frame Options Header
Description
Detects insecure X-Frame-Options header configurations in JavaScript code that could leave applications vulnerable to clickjacking attacks. When X-Frame-Options headers are misconfigured or not properly set, attackers can embed the application in malicious iframes to conduct clickjacking attacks.
Detection Strategy
• Look for JavaScript code where HTTP headers are being set or configured
• Check if X-Frame-Options header is present in the header configurations
• Verify if the X-Frame-Options value is insecure (missing, empty, or using unsafe values)
• Report a vulnerability when headers are configured without proper X-Frame-Options protections
Vulnerable code example
import { HttpHeaders } from '@angular/common/http';
export class SecurityService {
configure() {
const headers = new HttpHeaders({ 'X-Frame-Options': 'anything' }); // Vulnerable: Using insecure X-Frame-Options value
}
}✅ Secure code example
import { HttpHeaders } from '@angular/common/http';
export class SecurityService {
configure() {
const headers = new HttpHeaders({
'X-Frame-Options': 'SAMEORIGIN' // Secure: Prevents clickjacking by only allowing frames from same origin
});
}...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.