Details
Alert Id 10020-4
Alert Type Passive Scan Rule
Status release
Risk Medium
CWE 16
WASC 15

Summary

An X-Frame-Options header was present in the response but the value was not correctly set.

Solution

Ensure a valid setting is used on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers).

References

Code

org/zaproxy/zap/extension/pscanrules/XFrameOptionScanRule.java