Missing X-Frame-Options HTTP header

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Description

This publicly exposed API endpoint does not implement the X-Frame-Options header. This header allows to control whether a browser should be allowed to render the response in a frame, iframe, embed, or object. Without this header, the API response could be vulnerable to clickjacking attacks.

Remediation

Implement the X-Frame-Options header in all API responses with appropriate values.

Example header values:

# Use DENY to prevent any domain from framing the content
X-Frame-Options: DENY

# Use SAMEORIGIN to allow framing only by the same site
X-Frame-Options: SAMEORIGIN