MEDIUMCWE-1021Security Headers
Missing X-Frame-Options Header
Description
Your app does not send the X-Frame-Options header, making it possible for attackers to embed your site in an iframe and conduct clickjacking attacks.
How Vezraa Detects It
We check for the X-Frame-Options header and the frame-ancestors CSP directive.
Real-World Impact
Attackers can overlay invisible iframes of your app on malicious pages, tricking users into clicking buttons they can't see.
Fix Example
X-Frame-Options: DENY # Or via CSP: Content-Security-Policy: frame-ancestors 'none';
Affected Stacks
All web apps