Open theheapdump opened 3 years ago
run on 02.11.2020
Missing HTTP security headers HTTP Security Header Header Role Status X-Frame-Options Protects against Clickjacking attacks Not set Details Risk description: Because the X-Frame-Options header is not sent by the server, an attacker could embed this website into an iframe of a third party website. By manipulating the display attributes of the iframe, the attacker could trick the user into performing mouse clicks in the application, thus performing activities without user's consent (ex: delete user, subscribe to newsletter, etc). This is called a Clickjacking attack and it is described in detail here: https://owasp.org/www-community/attacks/Clickjacking Recommendation: We recommend you to add the X-Frame-Options HTTP response header to every page that you want to be protected against Clickjacking attacks. More information about this issue: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.htm
https://owasp.org/www-project-top-ten/