【Notice】 We are pleased to announce that our "Good Faith Squatting Strategy (Phishing Takeover)" has been featured in 24 media outlets, including NIKKEI COMPASS, CNET Japan, ZDNET JAPAN, Sankei Shimbun, Toyo Keizai Online, and NewsPicks. Learn More

Website Vulnerability: Absence of the X-Frame-Options Header

Website Vulnerability: Absence of the X-Frame-Options Header

July 26, 2023

When the X-Frame-Options header is not configured, a website becomes susceptible to being loaded within a frame, exposing it to "clickjacking" attacks. Clickjacking is a malicious technique where attackers overlay an invisible frame on a webpage, deceiving users into performing unintended clicks or actions. For example, a user might believe they are clicking a legitimate button, but they are unknowingly interacting with a different link or action set by the attacker.

X-Frame-Options Header Compliance Rate for Official Websites of 3,715 Listed Companies in Japan: 【Source: SSL/TLS Security Vulnerability Dashboard for Official Websites of 3,715 Listed Companies in Japan】

Issues Arising from the Absence of the X-Frame-Options Header

The X-Frame-Options header is an HTTP response header that informs browsers how a webpage should be displayed within frames. Frames allow embedding one webpage within another using HTML elements. If this header is not set, the following vulnerabilities may arise:

1. Clickjacking Attacks

Attackers can exploit the absence of the X-Frame-Options header by overlaying invisible frames on a page to manipulate user actions. For example, a button or link a user believes they are interacting with might actually trigger an unintended action set by the attacker.

2. Cross-Site Scripting (XSS) Attacks

Improper use of frames without this header increases the risk of XSS attacks, where attackers inject malicious scripts into webpages. Proper configuration of the X-Frame-Options header can limit cross-domain framing, mitigating XSS vulnerabilities.

3. Cross-Origin Resource Sharing (CORS) Issues

Cross-origin resource sharing allows controlled access to resources across different origins. Mismanaged frames without the X-Frame-Options header can lead to improper resource access, compromising security.

How to Configure the X-Frame-Options Header

To enhance website security and prevent these vulnerabilities, the X-Frame-Options header can be configured using the following directives:

  • DENY: Completely blocks the page from being displayed in any frame, regardless of origin.
  • SAMEORIGIN: Allows the page to be framed only by pages from the same origin (domain, protocol, and port).
  • ALLOW-FROM uri: Permits framing only by the specified uri. Note that this option is not supported by all browsers, so using the Content Security Policy (CSP) frame-ancestors directive might be a more reliable alternative.

Configuring the X-Frame-Options Header in Nginx

Step 1: Open the Configuration File

Locate the Nginx configuration file, typically found in nginx.conf or within the sites-available directory.

Step 2: Add the add_header Directive

Insert the following configuration into the appropriate server or location block:

  • Configuration for Same-Origin Framing:
server {  
    listen 80;  
    server_name your-domain.com;  

    location / {  
        add_header X-Frame-Options "SAMEORIGIN";  
    }  
}

Configuration to Deny All Framing:

server {  
    listen 80;  
    server_name your-domain.com;  

    location / {  
        add_header X-Frame-Options "DENY";  
    }  
}

Configuration to Allow Framing from a Specific URI:

server {  
    listen 80;  
    server_name your-domain.com;  

    location / {  
        add_header X-Frame-Options "ALLOW-FROM https://example.com/";  
    }  
}

  • Note: Since ALLOW-FROM is not supported by all browsers, it is recommended to use the CSP frame-ancestors directive for broader compatibility.

Step 3: Save and Restart Nginx

Apply the changes by restarting or reloading the Nginx server:

sudo service nginx restart

By setting the X-Frame-Options header appropriately, you can restrict frame usage, prevent clickjacking, and safeguard user interactions on your website. This step is crucial for ensuring the security of web applications and protecting user data.