保護DataHogo
Security Encyclopedia/Headers & Infrastructure
mediumCWE-1021A05:2021

Missing X-Frame-Options Header

The X-Frame-Options header is absent, allowing attackers to embed your app in an invisible iframe and trick users into clicking your UI elements (clickjacking).

How It Works

In a clickjacking attack, the attacker places your site in a transparent iframe on top of a fake page. The user thinks they're clicking a button on the fake page, but they're actually clicking a button on your site — like 'Transfer funds' or 'Enable camera access'. X-Frame-Options: DENY tells browsers to refuse iframe embedding.

Vulnerable Code
// BAD: no framing protection
// Any site can do: <iframe src="https://yourapp.com/settings"></iframe>
Secure Code
// GOOD: deny framing in Next.js config
export default {
  async headers() {
    return [{
      source: '/(.*)',
      headers: [
        { key: 'X-Frame-Options', value: 'DENY' },
        // Modern alternative: CSP frame-ancestors
        { key: 'Content-Security-Policy', value: "frame-ancestors 'none'" }
      ]
    }];
  }
};

Real-World Example

In 2009, Adobe Flash's permission dialog was clickjacked — users were tricked into enabling their camera and microphone without knowing. The same technique applies to any web UI with sensitive buttons.

How to Prevent It

  • Set X-Frame-Options: DENY (or SAMEORIGIN if you need same-site framing)
  • Also set frame-ancestors 'none' in your CSP header as a modern complement
  • Apply to all pages, not just login — settings pages are high-value targets
  • Verify with curl -I yourdomain.com and check the response headers

Affected Technologies

Next.jsnodejsnginxapache

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

Missing Content-Security-Policy Header

medium

The Content-Security-Policy (CSP) header is absent, leaving browsers without instructions on which sources of scripts, styles, and resources to trust.

CWE-358A05:2021

Missing X-Content-Type-Options Header

low

The X-Content-Type-Options: nosniff header is absent, allowing browsers to guess (sniff) the content type of a response and potentially execute content as script.

CWE-430A05:2021

Missing HTTP Strict Transport Security (HSTS)

medium

The Strict-Transport-Security header is absent, allowing browsers to connect over plain HTTP and enabling downgrade attacks where an attacker intercepts unencrypted traffic.

CWE-319A02:2021

Cookies Without Secure Flag

medium

Session cookies set without the Secure flag, allowing them to be transmitted over unencrypted HTTP connections and intercepted by attackers on the network.

CWE-614A02:2021