AppSec Blog

Adoption of X-FRAME-OPTIONS Header

Late 2008, Jeremiah Grossman and Robert Hansen publicized the clickjacking problem and got the web app security experts all trying to come up with solutions. One of the more viable solution is the X-FRAME-OPTIONS header that allow a site to control whether its content can be within a frame. There are two settings to this header, DENY blocks the content from being in a frame and SAMEORIGIN only allows the content to be framed by pages within the same origin. While it is not the end all and be all of clickjacking solution and won't work in some sites that extensively use frames across multiple sites, it is considered as a more reasonable approach for sites to protect their own content.

Johannes Ullrich and I got a little curious about the adoption of X-FRAME-OPTIONS header in the major sites. We went and got the list of top sites according to Alexa and see if the top sites actually use X-FRAME-OPTIONS header. We expected the results to be low, but when we looked at the results from visiting all these sites, we were a slight bit surprised. Of the TOP 10,000 sites from the Alexa's list, only 4 sites have the header specified. That number obviously is very low.

Not having the X-FRAME-OPTIONS header does not mean these site are not protected from clickjacking, maybe they are using some type of Javascript framebusting, we haven't looked at how many have framebusting deployed yet. It is widely believed that the Javascript only defense is not as good as the attacker could disable Javascript in the frame by setting SECURITY=RESTRICTED on the IFrame to disable the Javascript defense.

As a side note, I am doing my personal part on promoting the X-FRAME-OPTION. In the next major update of my SANS DEV422 course (soon to be 522), there will be emphasis on various defenses against Clickjacking that a site owner can leverage.


Posted October 15, 2009 at 12:49 PM | Permalink | Reply

Jeff Williams

I released a JavaEE filter for X-FRAME-OPTION back in Feb 2009. Very easy to use but haven't heard of anyone using it.

Posted October 22, 2009 at 7:04 PM | Permalink | Reply


It's an interesting idea but just like anything else client side the element can still be blocked/filtered prior to arrival at the browser therefore rendering inclusion of this tag useless (since you can block it, filter it or strip it out).

Post a Comment


* Indicates a required field.