5.3.1 Ensure X-Frame-Options header is configured and enabled

Information

The X-Frame-Options header should be set to allow specific websites or no sites at all to embed your website as an object within their own, depending on your organizational policy and application needs.

Rationale:

The X-Frame-Options header allows you to mitigate the risk of clickjacking attacks.

Impact:

Implementing this may block legitimate partner sites from embedding your website if this header is not configured properly.

Solution

Add the below to your server blocks in your nginx configuration. The policy should be configured to meet your organization's needs.

add_header X-Frame-Options 'SAMEORIGIN' always;

Default Value:

This is not configured by default.

See Also

https://workbench.cisecurity.org/files/4212