Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is it Meaningful to Add 'x-frame-options' in an Restful API

Tags:

We are developing a restful API that fulfills some various events. We have done a Nessus vulnerability scan to see security leaks. It turned out that we have some leaks leads to clickjacking and we have found the solution. I have added x-frame-options as SAMEORIGINin order to handle problems.

My question here is that, since I am an API, do I need to handle clickjacking? I guess 3rd party user should be able to reach my API over an iframe and I don't need to handle this.

Do I miss something? Could you please share your ideas?

like image 487
Uğurcan Şengit Avatar asked Dec 02 '15 14:12

Uğurcan Şengit


People also ask

What makes a good RESTful API?

Good REST APIs: are well-documented and reliable. use HTTP verbs as Fielding originally defined. support X-HTTP-METHOD-Override to accommodate picky proxies.

Is X-frame-options deprecated?

X-Frame-Options Deprecated While the X-Frame-Options header is supported by the major browsers, it has been obsoleted in favour of the frame-ancestors directive from the CSP Level 2 specification. Proxies Web proxies are notorious for adding and stripping headers.


1 Answers

Edit 2019-10-07: @Taytay's PR has been merged, so the OWASP recommendation now says that the server should send an X-Frame-Options header.


Original answer:

OWASP recommends that clients send an X-Frame-Options header, but makes no mention of the API itself.

I see no scenario where it makes any sense for the API to return clickjacking security headers - there is nothing to be clicked in an iframe!

like image 199
nickspoon Avatar answered Sep 28 '22 06:09

nickspoon