Skip to content
← Back to Vulnerability Database
MEDIUMCWE-1021Security Headers

Missing X-Frame-Options Header

Description

Your app does not send the X-Frame-Options header, making it possible for attackers to embed your site in an iframe and conduct clickjacking attacks.

How Vezraa Detects It

We check for the X-Frame-Options header and the frame-ancestors CSP directive.

Real-World Impact

Attackers can overlay invisible iframes of your app on malicious pages, tricking users into clicking buttons they can't see.

Fix Example

X-Frame-Options: DENY
# Or via CSP:
Content-Security-Policy: frame-ancestors 'none';

Affected Stacks

All web apps

References

Check if your app has this vulnerability

Scan your app in 25 seconds — no install, no code access required.

Missing X-Frame-Options Header — Vulnerability Database | Vezraa