Reputation: 1026
Is it Meaningful to Add 'x-frame-options' in an Restful API
We are developing a restful API that fulfils some various events. We have done a Nessus vulnerability scan to see security leaks. It turned out that we have some leaks leads to clickjacking and we have found the solution. I have added x-frame-options as SAMEORIGINin order to handle problems.
My question here is that, since I am an API, do I need to handle clickjacking? I guess 3rd party user should be able to reach my API over an iframe and I don't need to handle this.
Do I miss something? Could you please share your ideas?
Upvotes: 30
Views: 17198
Answers (3)
Reputation: 11
In addition to the OWASP recommendation and reasons stated in the other answers, there are legitimate attacks that can be conducted against frameable API responses containing sensitive information. See: GOTCHA: Taking phishing to a whole new level.
Essentially, the attack manipulates the sensitive information to deceive target users to disclose the information to the attacker. Therefore, whether X-Frame-Options or Content-Security-Policy (with the frame-ancestors directive), API responses should be restricted from being framed by arbitrary origins.
Upvotes: 1
Reputation: 1397
Edit 2019-10-07: @Taytay's PR has been merged, so the OWASP recommendation now says that the server should send an X-Frame-Options header.
Original answer:
OWASP recommends that clients send an X-Frame-Options header, but makes no mention of the API itself.
I see no scenario where it makes any sense for the API to return clickjacking security headers - there is nothing to be clicked in an iframe!
Upvotes: 17
Reputation: 6953
OWASP recommends that not only do you send an X-Frame-Options header but that it is set to DENY.
These are recommendations not for a web site but for a REST service.
The scenario where it makes sense to do this is exactly the one the OP mentioned - running a vulnerability scan.
If you do not return a correct X-Frame-Options header the scan will fail. This matters when proving to customers that your endpoint is safe.
It is much easier to provide your customer a passing report than have to argue why a missing header does not matter.
Adding a X-Frame-Options header should not affect the endpoint consumer as it is not a browser with an iframe.
Upvotes: 17
Related Questions
- What's the difference between antiClickjack and x-frame-options
- X-Frame-Options: ALLOW-FROM in firefox and chrome
- X-Frame-Options on Apache
- enable X-Frame-Options header in spring-boot application (without spring security)
- Respect X-Frame-Options with HTTP redirect
- Is it necessary to set X-Frame-Options for 404 Not Found pages
- What's the point of the X-Frame-Options header?
- Clickjacking protection using 'X-Frame-Options'?
- X-Frames-Options in the meta tag
- How useful is the X-Frame-Options header in protecting against malicious framing?