Is it Meaningful to Add 'x-frame-options' in an Restful API

Edit 2019-10-07: @Taytay's PR has been merged, so the OWASP recommendation now says that the server should send an X-Frame-Options header.

Original answer:

OWASP recommends that clients send an X-Frame-Options header, but makes no mention of the API itself.

I see no scenario where it makes any sense for the API to return clickjacking security headers - there is nothing to be clicked in an iframe!


OWASP recommends that not only do you send an X-Frame-Options header but that it is set to DENY.

These are recommendations not for a web site but for a REST service.

The scenario where it makes sense to do this is exactly the one the OP mentioned - running a vulnerability scan.

If you do not return a correct X-Frame-Options header the scan will fail. This matters when proving to customers that your endpoint is safe.

It is much easier to provide your customer a passing report than have to argue why a missing header does not matter.

Adding a X-Frame-Options header should not affect the endpoint consumer as it is not a browser with an iframe.

Tags:

Rest

Api

X Frame Options

Clickjacking

Recent Posts