Php Unsafe Header X Frame Options
Description
This detector identifies PHP code that sets unsafe X-Frame-Options headers, which can leave applications vulnerable to clickjacking attacks. When the X-Frame-Options header is missing, set to an unsafe value, or contains user-controllable input, attackers can embed the page in malicious iframes to trick users into performing unintended actions.
Detection Strategy
• Identifies calls to PHP's header() function
• Checks if the first argument to header() relates to X-Frame-Options configuration
• Flags cases where the X-Frame-Options header value is considered unsafe
• Reports the header() function call as vulnerable when unsafe X-Frame-Options configuration is detected
Vulnerable code example
<?php
// VULNERABLE: X-Frame-Options is deprecated, use CSP frame-ancestors instead
header('X-Frame-Options: DENY');
// VULNERABLE: SAMEORIGIN is also deprecated
header("X-Frame-Options: SAMEORIGIN");
// VULNERABLE: ALLOW-FROM is completely ignored by modern browsers...✅ Secure code example
<?php
// SECURE: Use CSP frame-ancestors instead of deprecated X-Frame-Options
header("Content-Security-Policy: frame-ancestors 'none'"); // Blocks all framing
// SECURE: CSP frame-ancestors 'self' replaces SAMEORIGIN
header("Content-Security-Policy: frame-ancestors 'self'");
// SECURE: CSP allows specific origins unlike deprecated ALLOW-FROM...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.