Typescript Unsafe X Frame Options Header
Description
Detects insecure or missing X-Frame-Options header configurations in TypeScript applications. The X-Frame-Options HTTP response header helps prevent clickjacking attacks by controlling whether a browser should be allowed to render a page in a frame/iframe. Improper configuration of this header can leave applications vulnerable to UI redressing attacks.
Detection Strategy
• Identifies HTTP response header configurations in TypeScript code
• Checks if X-Frame-Options header is missing from HTTP responses
• Flags header configurations that use insecure values (like allowing all origins)
• Examines header settings in server response configurations and middleware
• Reports issues when X-Frame-Options is not set to 'DENY' or 'SAMEORIGIN'
Vulnerable code example
import { HttpHeaders } from '@angular/common/http';
export class SecurityService {
getHeaders() {
// VULNERABLE: Using invalid value for X-Frame-Options header - should be DENY, SAMEORIGIN, or ALLOW-FROM
const headers = new HttpHeaders({
'Content-Type': 'application/json',
'X-Frame-Options': 'anything'...✅ Secure code example
import { HttpHeaders } from '@angular/common/http';
export class SecurityService {
getHeaders() {
// Set X-Frame-Options to DENY to prevent all framing attempts
const headers = new HttpHeaders({
'Content-Type': 'application/json',
'X-Frame-Options': 'DENY' // Prevents page from being embedded in any frame...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.