Description

This publicly exposed API endpoint does not implement the X-Frame-Options header. This header allows to control whether a browser should be allowed to render the response in a frame, iframe, embed, or object. Without this header, the API response could be vulnerable to clickjacking attacks.

Remediation

Implement the X-Frame-Options header in all API responses with appropriate values.

Example header values:

# Use DENY to prevent any domain from framing the content
X-Frame-Options: DENY

# Use SAMEORIGIN to allow framing only by the same site
X-Frame-Options: SAMEORIGIN