You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I came across a medium risk security issue in the SaaS website. But probably it's not specific to SaaS website.
According to our basic pentest X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
Hi,
I came across a medium risk security issue in the SaaS website. But probably it's not specific to SaaS website.
According to our basic pentest X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).
You can find more info in this post: https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
Regards,
Arash
The text was updated successfully, but these errors were encountered: