Multiple X-Frame-Options header
search cancel

Multiple X-Frame-Options header


Article ID: 235509


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder)


Capture HTTP headers and find there are multiple X-Frame-Options header in the response.

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

Is this a problem?
What should be done?


Release : 12.5

Component :


Web Agent will set XFO header if the ACO is configured to do so.

RFC only mentions about restriction on what the value can be but it does not mention there should only be 1 XFO header in the response.

2.1.  Syntax

   The header field name is:


   There are three different values for the header field.  These values
   are mutually exclusive; that is, the header field MUST be set to
   exactly one of the three values.


Following illustration demonstrates how multiple XFO headers can be returned.

In this case, depending on the URI there can be different and multiple XFO headers in the response.

1. http://<proxy>/app1/  --> XFO:DENY
2. http://<proxy>/app2/  --> XFO:DENY & XFO:SAMEORIGIN
It would even be more complicated if the XFO header is also being set at the <proxy> as there will be additional XFO header.



As the RFC suggests, XFO header values should not be merged(usually by using a comma as a separator) as that would be invalid.
There should be only 1 value.

X-Frame-Options: DENY, SAMEORIGIN (Invalid)

But it is also invalid to have multiple X-Frame-Options headers.

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN


Decide which component (the frontend or the backend) will set the XFO header so there will be only ONE X-Frame-Options header in the response.


Additional Information

NetSparker KB Link