Someone has any idea how prevent "X-Frame-Options header is not set" vulnerability in PHP?
Asked
Active
Viewed 4,122 times
2 Answers
1
This isn't so much a PHP vulnerability as it is a "not added" feature to your web server.
You can of course throw in header("X-Frame-Options=SAMEORIGIN"); into every page...but that's not feasible simply read below and add the required data to your HTTPd config file.
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
JasonSec
- 26
- 1
-
Thanks for your help :) I let you know the result after run the scan again. – Delesc May 12 '14 at 23:36
-
I just added the configuration you recommend me into the .htaccess, is it necessary that I apply that configuration in the php.ini? or what else I would add to the configuration in order to mitigate the vuln? – Delesc May 21 '14 at 14:38
0
Not sure why you would class it as a vulnerability, but you can control who is allowed to frame your site:
You would be safest to use:
Header always append X-Frame-Options SAMEORIGIN
In your htaccess (assuming you are using apache) as it allows you to iframe your content from the same site (you shouldn't need to use frames at all, but in my experience, when dealing with third party code you sometimes find iframes).
-
I just added the configuration you recommend me into the .htaccess, is it necessary that I apply that configuration in the php.ini? or what else I would add to the configuration in order to mitigate the vuln? – Delesc May 21 '14 at 14:39