Summary #

Netsparker detected that the X-Frame-Options HTTP response header was sent more than once in a single response.

Impact #

Browsers don't expect to receive more than a single X-Frame-Options header from web servers. If those expectations are not met this might result in undefined behavior. That means if the server sends more than one X-Frame-Options header in a single HTTP response, browsers might ignore the header or fallback it to DENY option. So it can change the expected behavior of the site.

If the browser ignores the multiple definition of X-Frame-Options in the response header, a broken X-Frame-Options header will expose your users to UI Redressing attacks like Clickjacking.

Remediation #

Make sure that only one X-Frame-Options header is sent in each HTTP response in order to prevent unexpected behavior. Additionally, you can define the frame-ancestors Content-Security-Policy directive.

Classifications #
CAPEC-103; CWE-693; ISO27001-A.14.2.5; OWASP 2013-A5; OWASP 2017-A6
Vulnerability Index

Vulnerability Index

You can search and find all vulnerabilities


Search Vulnerability


Dead accurate, fast & easy-to-use Web Application Security Scanner

Get a demo