ZAP – Missing Anti-clickjacking Header

Details
Alert ID	10020-1
Alert Type	Passive
Status	release
Risk	Medium
CWE	1021
WASC	15
Technologies Targeted	All
Tags	CWE-1021 OWASP_2017_A06 OWASP_2021_A05 POLICY_PENTEST POLICY_QA_STD WSTG-V42-CLNT-09
More Info	Scan Rule Help

Summary

The response does not protect against ‘ClickJacking’ attacks. It should include either Content-Security-Policy with ‘frame-ancestors’ directive or X-Frame-Options.

Solution

Modern Web browsers support the Content-Security-Policy and X-Frame-Options HTTP headers. Ensure one of them is set on all web pages returned by your site/app. If you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively consider implementing Content Security Policy's "frame-ancestors" directive.

Other Info

References

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Code

org/zaproxy/zap/extension/pscanrules/AntiClickjackingScanRule.java