X-Frame-Options is very good protection against clickjacking attacks. The problem with XFO is that this is non-standard header which has problems with domain whitelisting (the widely supported values for XFO are only deny and sameorigin).
Nowadays XFO is a part o Content Security Policy (v2). We have possibility defining framing as blocking (none), same-origin (self) and ALSO domain whitelisting, eg:
Content-Security-Policy: frame-ancestiors 'none';Content-Security-Policy: frame-ancestiors 'self';Content-Security-Policy: frame-ancestiors 'self' my.second.domain.com mythird.cdn.com;
I suggest to rewrite V11.10 to use CSP approach and also add information about adding X-Frame-Options header for old browsers compatibility (if accessible for the audited web application).
X-Frame-Options is very good protection against clickjacking attacks. The problem with XFO is that this is non-standard header which has problems with domain whitelisting (the widely supported values for XFO are only
deny
andsameorigin
).Nowadays XFO is a part o Content Security Policy (v2). We have possibility defining framing as blocking (
none
), same-origin (self
) and ALSO domain whitelisting, eg:Content-Security-Policy: frame-ancestiors 'none';
Content-Security-Policy: frame-ancestiors 'self';
Content-Security-Policy: frame-ancestiors 'self' my.second.domain.com mythird.cdn.com;
I suggest to rewrite V11.10 to use CSP approach and also add information about adding
X-Frame-Options
header for old browsers compatibility (if accessible for the audited web application).