X-Frame-Options header is set to SAMEORIGIN

Description

in
https://synapse.org/
https://synapse.org/opensearch.xml
https://synapse.org/favicon.ico
https://synapse.org/bootstrap-3.0/assets/js/html5shiv.js
https://synapse.org/bootstrap-3.0/assets/js/respond.min.js
https://synapse.org/manifest.json

as per the June 2019 WAS Scan report:

Threat
The X-Frame-Options header is not set in the HTTP response, which may lead to a possible framing of the page. An attacker can trick users into clicking on a
malicious link by framing the original page and showing a layer on top of it with legitimate-looking buttons.
Impact
Attacks such as Clickjacking could potentially be performed.
Solution
The "X-Frame-Options:" allows three options DENY, SAMEORIGIN and ALLOW-FROM. It is recommended to set "X-FRAME-OPTIONS to DENY" which won't
allow any domain to frame the site or SAMEORIGIN which only allows framing by the same site. DENY and SAMEORGIN are supported by all browsers. Setting
"X-FRAME-OPTIONS" to ALLOW-FROM may still leave users vulnerable to Clickjacking since not all browsers support ALLOW-FROM including CHROME and
SAFARI. For more information, see https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet. For more common X-FRAME-OPTION
implementations errors please visit the link below: https://blog.qualys.com/securitylabs/2015/10/20/clickjacking-a-common-implementation-mistake-that-can-putyour-
websites-in-danger

Environment

None

Status

Assignee

Xavier Schildwachter

Reporter

Bruce Hoff

Labels

Validator

Jay Hodgson

Release Version History

None

Priority

Major