5.14 Ensure Browser Framing Is Restricted

Information

The Header directive allows server HTTP response headers to be added, replaced, or merged. Use the directive to add a server HTTP response header to tell browsers to restrict all the web pages from being framed by other web sites.

Rationale:

Using iframes and regular web frames to embed malicious content along with expected web content has been a favored attack vector for attacking web clients for a long time. This can happen when the attacker lures the victim to a malicious web site, which uses frames to include the expected content from the legitimate site. The attack can also be performed via XSS (either reflected, DOM or stored XSS) to add the malicious content to the legitimate web site. To combat this vector, an HTTP Response header, X-Frame-Options, has been introduced that allows a server to specify whether a web page may be loaded in any frame ('DENY') or only those frames that share the page's origin ('SAMEORIGIN').

Solution

Perform the following to implement the recommended state:

Add or modify the 'Header' directive for the 'X-Frame-Options' header in the Apache configuration to have the condition 'always', an action of 'append', and a value of 'SAMEORIGIN', as shown below.

Header always append X-Frame-Options SAMEORIGIN

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, CSCv6|18, CSCv7|5.1

Plugin: Unix

Control ID: 16267b61564beecc43764faf014188c4dbd07561c2115d8348cc3e1490fc4d70