What is x-frame-options DENY in CDD Rest API response headers?

search cancel

What is x-frame-options DENY in CDD Rest API response headers?

book

Article ID: 203995

calendar_today

Updated On:

Products

Continuous Delivery Director

Issue/Introduction

We noticed that call to REST API of CDD shows Deny in x-frame-options in response header. Is it an error?

{
  "access-control-allow-origin": "https://testserver:8443",
  "content-security-policy": "script-src 'self' 'unsafe-eval' 'unsafe-inline' ....",
  "content-type": "application/json;charset=UTF-8",
  "date": "Mon, 23 Nov 2020 14:29:36 GMT",
  "hostname": "testserver",
  "server": "Apache-Coyote/1.1",
  "strict-transport-security": "max-age=31536000",
  "transfer-encoding": "chunked",
  "vary": "Origin",
  "x-content-type-options": "nosniff",
  "x-frame-options": "DENY",
  "x-xss-protection": "1; mode=block"
}

Environment

Release : 7.3

Component : CONTINUOUS DELIVERY DIRECTOR

Resolution

The "x-frame-options": "DENY" is not an error. It is a protection against clickjacking. It does not allow any other domain to display this page within a frame.

Additional Information

For more details around X-Frame-Options please refer to document.

Feedback

thumb_up Yes

thumb_down No