Control: Site headers must contain X-Frame-Options
Description
X-Frame-Options header helps to prevent Clickjacking attacks. The Deep Security Manager enforces the SAMEORIGIN value for this header, only allowing it to be embedded in web applications that are hosted on the same domain.
Usage
Run the control in your terminal:
powerpipe control run net_insights.control.security_headers_x_frame_optionsSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run net_insights.control.security_headers_x_frame_options --shareSteampipe Tables
SQL
with available_headers as ( select url, array_agg(header.key) from net_http_request, jsonb_each(response_headers) as header where url in (select jsonb_array_elements_text(to_jsonb($1::text[]))) group by url)select url as resource, case when array['X-Frame-Options'] <@ array_agg then 'ok' else 'alarm' end as status, case when array['X-Frame-Options'] <@ array_agg then url || ' contains required headers ''X-Frame-Options''.' else url || ' missing required headers ''X-Frame-Options''.' end as reasonfrom available_headers;
Params
| Args | Name | Default | Description | Variable |
|---|---|---|---|---|
| $1 | website_urls | | Website URLs. |