The remote web server does not set an X-Frame-Options response header
in all content responses. This could potentially expose the site to a
clickjacking or UI Redress attack wherein an attacker can trick a user
into clicking an area of the vulnerable page that is different than
what the user perceives the page to be. This can result in a user
performing fraudulent or malicious transactions.
X-Frame-Options has been proposed by Microsoft as a way to mitigate
clickjacking attacks and is currently supported by all major browser vendors.
Note that while the X-Frame-Options response header is not the only mitigation
for clickjacking, it is currently the most reliable method to detect through automation.
Therefore, this plugin may produce false positives if other mitigation strategies
(e.g frame-busting JavaScript) are deployed or if the page does not perform any
security-sensitive transactions.
Solution
Return the X-Frame-Options HTTP header with the page's response.
This prevents the page's content from being rendered by another site
when using the frame or iframe HTML tags.
Resolução do problema base CentOS / Red Hat Linux para servidor Apache
No httpd.conf localizar a sessão Directory /var/www/html/ ou equivalente, se o Apache tiver virtual hosts deve ser adicionado em todos os virtual hosts carregados e habilitados. Adicionar:
Código: Selecionar todos
Header always append X-Frame-Options SAMEORIGINNo web.config adicionar:
Código: Selecionar todos
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>