NFA Harvester - Missing or Permissive X-Frame-Options Header
search cancel

NFA Harvester - Missing or Permissive X-Frame-Options Header

book

Article ID: 259847

calendar_today

Updated On:

Products

CA Network Flow Analysis (NetQos / NFA)

Issue/Introduction

Hi Support,

A VA scan detected the "Missing or Permissive X-Frame-Options Header" threat from the CA NFA Harvester server:

Observations:
We observed that the remote web server does not take steps to mitigate clickjacking attacks by setting a restrictive X-Frame-Options response header (i.e. with either "DENY" or "SAMEORIGIN").

Recommendations:
We recommend setting an X-Frame-Options header with either 'DENY' or 'SAMEORIGIN' for all requested resources.

Environment

Release : 21.2

Resolution

Ensure that X-Frame-Options is set to SAMEORIGIN on the Default Web Site:

Once this is set re-run the scan.

Attachments

Powered by Wolken Software