medium HTTP Headers

Missing X-Frame-Options Header (Clickjacking)

The X-Frame-Options header is missing, allowing your site to be embedded in iframes on malicious sites (clickjacking attacks).

Severity
medium
Time to Fix
5 minutes
Difficulty
easy
OWASP
A05:2021 — Security Misconfiguration

What is Missing X-Frame-Options Header (Clickjacking)?

X-Frame-Options (or the modern CSP frame-ancestors directive) prevents your website from being embedded in an iframe on another domain. Without it, an attacker can overlay your site in a transparent iframe and trick users into clicking buttons they didn't intend to (e.g., "Delete account", "Transfer funds"). This is called clickjacking.

Why It Matters to Your Business

Clickjacking can trick users into performing sensitive actions they didn't intend — deleting data, granting permissions, or changing passwords. While less severe than XSS, clickjacking is trivially exploitable and easy to fix.

How to Fix It

Add one of these headers:
  X-Frame-Options: DENY  (recommended — blocks all iframe embedding)
  X-Frame-Options: SAMEORIGIN  (allows only your own domain to embed)

Or use the modern CSP frame-ancestors directive:
  Content-Security-Policy: frame-ancestors 'self'

For Nginx: add_header X-Frame-Options "DENY" always;
For Apache: Header always set X-Frame-Options "DENY"

Technical Classification

OWASP CategoryA05:2021 — Security Misconfiguration
CWE IDCWE-1021: Improper Restriction of Rendered UI Layers
Detected Byheaders, security_features scanner(s)
Severity Levelmedium

How 2MNY Security Can Help

Check if your website has this vulnerability

Our headers, security_features scanner checks for this issue automatically.

Scan My Website Free

Related Vulnerabilities