Missing X-Frame-Options HTTP header

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Description

This publicly exposed API endpoint does not implement the X-Frame-Options header. This header allows to control whether a browser should be allowed to render the response in a frame, iframe, embed, or object. Without this header, the API response could be vulnerable to clickjacking attacks.

Remediation

Implement the X-Frame-Options header in all API responses with appropriate values.

Example header values:

# Use DENY to prevent any domain from framing the content
X-Frame-Options: DENY

# Use SAMEORIGIN to allow framing only by the same site
X-Frame-Options: SAMEORIGIN