Is it necessary to set X-Frame-Options for 404 Not Found pages

Question

In Clickjacking Defense Cheat Sheet OWASP recommends to set the X-Frame-Options header for all responses containing HTML content, but I am not sure if it is necessary to set this header also for 404 Not Found pages which contains only this HTML content (without any links):

<html><head><title>Error</title></head><body>404 - Not Found</body></html>

Answer 1

Unless framing is required, I would always advise setting X-FRAME-OPTIONS: Deny and also the new, standard Content Security Policy frame-ancestors directive.

The reason is that there as other attacks such as Cross Site History Manipulation (XSHM) and Path-Relative Stylesheet Import (PRSSI) that rely on the victim site being framed.

That said, if your 404 page has "nothing to Clickjack" there is little benefit in preventing framing here in order to prevent Clickjacking. PRSSI also requires that the content is dynamic and XSHM shouldn't really be affected in terms of timing attacks as the target page still has to load before the browser knows not to display it in a frame.

Therefore,

Is it necessary to set X-Frame-Options for 404 Not Found pages

No.

Answer 2

X-Frame-Options protects against attacks like Clickjacking (where an attacker uses iframes to transparently display your site over his own content in order to have a user click on invisible stuff that the user didn't want to), or things like pixel perfect timing attacks.

If you are not worried about these (application state cannot be changed on the page and there is no information to be stolen), I think you don't strictly need X-Frame-Options.

It's probably easier sometimes to set it up in a way that a component (the web server mainly) just adds the header to all responses. If that's not the case for you, I think you can have your 404 page without X-Frame-Options and that's still fine.