Missing X-Frame-Options HTTP header

Docs > Datadog Security > OOTB Rules > Missing X-Frame-Options HTTP header

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

This publicly exposed API endpoint does not implement the X-Frame-Options header. This header allows to control whether a browser should be allowed to render the response in a frame, iframe, embed, or object. Without this header, the API response could be vulnerable to clickjacking attacks.

Remediation

Implement the X-Frame-Options header in all API responses with appropriate values.

Example header values:

# Use DENY to prevent any domain from framing the content
X-Frame-Options: DENY

# Use SAMEORIGIN to allow framing only by the same site
X-Frame-Options: SAMEORIGIN