Describe the bug
Protect against clickjacking attacks by restricting how our pages can be embedded within iframes. Clickjacking attacks involve an attacker displaying our pages within an iframe on a site they control. For example, an attacker could overlay a UI layer over an iframe to trick visitors into triggering actions on our page as well overlaying form fields to steal data. Clickjacking has been used to exploit users into sharing links on social networks, clicking ads and stealing passwords. Protection against these attacks using the X-Frame-Options response header to restrict which hosts are allowed to embed our pages.
To Reproduce
X-Frame-Options: None
Expected behavior
The possible options are:
- DENY to restricts all URLs
- SAMEORIGIN to allow only URLs from the same origin as your page
- ALLOW-FROM to allow from a specific origin.
For example, X-Frame-Options: DENY will block all iframe usage. You should use a setting that's as restrictive as possible.
Describe the bug
Protect against clickjacking attacks by restricting how our pages can be embedded within iframes. Clickjacking attacks involve an attacker displaying our pages within an iframe on a site they control. For example, an attacker could overlay a UI layer over an iframe to trick visitors into triggering actions on our page as well overlaying form fields to steal data. Clickjacking has been used to exploit users into sharing links on social networks, clicking ads and stealing passwords. Protection against these attacks using the X-Frame-Options response header to restrict which hosts are allowed to embed our pages.
To Reproduce
X-Frame-Options: None
Expected behavior
The possible options are:
For example, X-Frame-Options: DENY will block all iframe usage. You should use a setting that's as restrictive as possible.