Missing X-Frame-Options Header (Clickjacking)
The X-Frame-Options header is missing, allowing your site to be embedded in iframes on malicious sites (clickjacking attacks).
What is Missing X-Frame-Options Header (Clickjacking)?
X-Frame-Options (or the modern CSP frame-ancestors directive) prevents your website from being embedded in an iframe on another domain. Without it, an attacker can overlay your site in a transparent iframe and trick users into clicking buttons they didn't intend to (e.g., "Delete account", "Transfer funds"). This is called clickjacking.
Why It Matters to Your Business
Clickjacking can trick users into performing sensitive actions they didn't intend — deleting data, granting permissions, or changing passwords. While less severe than XSS, clickjacking is trivially exploitable and easy to fix.
How to Fix It
Add one of these headers: X-Frame-Options: DENY (recommended — blocks all iframe embedding) X-Frame-Options: SAMEORIGIN (allows only your own domain to embed) Or use the modern CSP frame-ancestors directive: Content-Security-Policy: frame-ancestors 'self' For Nginx: add_header X-Frame-Options "DENY" always; For Apache: Header always set X-Frame-Options "DENY"
Technical Classification
| OWASP Category | A05:2021 — Security Misconfiguration |
| CWE ID | CWE-1021: Improper Restriction of Rendered UI Layers |
| Detected By | headers, security_features scanner(s) |
| Severity Level | medium |
How 2MNY Security Can Help
Check if your website has this vulnerability
Our headers, security_features scanner checks for this issue automatically.
Scan My Website FreeRelated Vulnerabilities
Missing HSTS Header
The HTTP Strict Transport Security (HSTS) header is missing, allowing browsers to silently downgrade HTTPS connections to HTTP.
Missing Content-Security-Policy Header
No Content-Security-Policy (CSP) header is set, leaving the site vulnerable to cross-site scripting (XSS) and data injection attacks.
Insecure Cookie Configuration
Session cookies are missing the Secure, HttpOnly, or SameSite attributes, exposing them to theft via XSS, MITM, or CSRF.
CORS Misconfiguration
The server reflects arbitrary Origin headers with credentials, allowing any website to make authenticated cross-origin requests.