AnsweredAssumed Answered

150081 Clickjacking - X-Frame-Options header is not set - possible false detection?

Question asked by Aleš Zrak on Sep 15, 2016
Latest reply on May 25, 2017 by Dave Ferguson

Hello everyone,


I recently performed a vulnerability scan for our website, which detected vulnerability 150081 - possible clickjacking.

Qualys reports there is no X-Frame-Options header sent by us, which is not true - we are setting this header via .httaccess file:


<IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"
  Header set X-Content-Type-Options "nosniff"
  Header always append X-Frame-Options SAMEORIGIN

  <FilesMatch "\.(js|css|xml|gz)$">
  Header append Vary Accept-Encoding


If I open developer tools in my browser, I see the header here:




Is this correct way to implement this for it to be recognized by Qualys?

Or could this be false alert?


Thank you very much for any hint,