OWASP security guideline to protect restapi against clickjacking, are they acurate?

Question

We have a based java restapi webapplication , i am trying to pentest it and i went through the owasp security sheet for restapi :

https://www.owasp.org/index.php/REST_Security_Cheat_Sheet#Security_headers

As owasp recommends, "Additionally the client should send an X-Frame-Options: deny to protect against drag'n drop clickjacking attacks in older browsers. ", however, as i know, the server usually send this x-frame-options, not the client, is it a typo failure from owasp ? in addition, with rest api request, how could clickjacking be exploited as restapi calls are not seen in the browser !?

Answer 1

OWASP guides are a community effort. Apparently that statement was introduced around 2012, see following revision. It's most likely a typo as the server should be sending the X-Frame-Options header, not the browser.

In classical REST APIs, there is technically no way to perform clickjacking. A very far fetched idea might be if you served a HATEOAS API and outputted it in HTML format.

I would say move on and focus on other security aspects such as authentication, authorisation and sensitive data being leaked. Try to also think outside of the guidelines. Once I found an API that also returned user password in base64 format, not so smart...