AnsweredAssumed Answered

150081 Clickjacking - X-Frame-Options header is not set - possible false detection?

Question asked by Aleš Zrak on Sep 15, 2016
Latest reply on May 25, 2017 by Dave Ferguson

Hello everyone,

 

I recently performed a vulnerability scan for our website, which detected vulnerability 150081 - possible clickjacking.

Qualys reports there is no X-Frame-Options header sent by us, which is not true - we are setting this header via .httaccess file:

 

<IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Content-Type-Options "nosniff"
  Header always append X-Frame-Options SAMEORIGIN


  <FilesMatch "\.(js|css|xml|gz)$">
  Header append Vary Accept-Encoding
  </FilesMatch>
</IfModule>

 

If I open developer tools in my browser, I see the header here:

 

screen_response_headers_clickjacking.png

 

Is this correct way to implement this for it to be recognized by Qualys?

Or could this be false alert?

 

Thank you very much for any hint,

Aleš.

Outcomes