Confirmed users
491
edits
WebAppSec/Secure Coding QA Checklist: Difference between revisions
WebAppSec/Secure Coding QA Checklist (view source)
Revision as of 17:57, 24 September 2010
, 24 September 2010→Test: X-Frame-Options
| Line 163: | Line 163: | ||
===Desired System Behavior=== | ===Desired System Behavior=== | ||
The X-Frame-Options header is present for all HTML pages on the website. The specified value of "DENY" or "SAMEDOMAIN" is a decision made by the application owners. Either value is acceptable for this test. | |||
===Further information=== | |||
This item can be tested by requesting several pages within the application and inspecting the HTTP response. Look for the header value "X-Frame-Options". Below is an example of an HTTP response for a site using this header: | |||
HTTP/1.1 200 OK | |||
Server: Apache | |||
X-Frame-Options: SameOrigin | |||
Vary: Accept-Encoding | |||
Cache-Control: no-cache | |||
Content-Type: text/html; charset=utf-8 | |||
=Other Resources= | =Other Resources= | ||