Missing X-Frame-Options

Prevents your website from being embedded in an iframe on another site. This stops "Clickjacking" attacks.

Business Risk

In a Clickjacking attack, a user visits a malicious site which has your website loaded in an invisible iframe on top of a "Play Game" button. When they click "Play", they are actually clicking "Delete Account" on your site (if they are logged in). XFO tells the browser "Do not allow anyone to iframe me."

Technical Details

Modern alternative: `Content-Security-Policy: frame-ancestors 'none'`. However, `X-Frame-Options: DENY` is still recommended for defense-in-depth and support for older tools. Use `SAMEORIGIN` if you need to frame your own pages within the same site.

Remediation Guide

{ "key": "X-Frame-Options", "value": "DENY" }

json

External References

↗ OWASP Clickjacking Defense

Verify Your Fix

Applied the configuration change? Run a live scan to confirm the vulnerability is patched.