I recently performed a vulnerability scan for our website, which detected vulnerability 150081 - possible clickjacking.
Qualys reports there is no X-Frame-Options header sent by us, which is not true - we are setting this header via .httaccess file:
<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header set X-Content-Type-Options "nosniff" Header always append X-Frame-Options SAMEORIGIN <FilesMatch "\.(js|css|xml|gz)$"> Header append Vary Accept-Encoding </FilesMatch> </IfModule>
If I open developer tools in my browser, I see the header here:
Is this correct way to implement this for it to be recognized by Qualys?
Or could this be false alert?
Thank you very much for any hint,