We are developing a restful API that fulfills some various events. We have done a Nessus vulnerability scan to see security leaks. It turned out that we have some leaks leads to clickjacking and we have found the solution. I have added x-frame-options
as SAMEORIGIN
in order to handle problems.
My question here is that, since I am an API, do I need to handle clickjacking? I guess 3rd party user should be able to reach my API over an iframe and I don't need to handle this.
Do I miss something? Could you please share your ideas?
Good REST APIs: are well-documented and reliable. use HTTP verbs as Fielding originally defined. support X-HTTP-METHOD-Override to accommodate picky proxies.
X-Frame-Options Deprecated While the X-Frame-Options header is supported by the major browsers, it has been obsoleted in favour of the frame-ancestors directive from the CSP Level 2 specification. Proxies Web proxies are notorious for adding and stripping headers.
Edit 2019-10-07: @Taytay's PR has been merged, so the OWASP recommendation now says that the server should send an X-Frame-Options header.
Original answer:
OWASP recommends that clients send an X-Frame-Options header, but makes no mention of the API itself.
I see no scenario where it makes any sense for the API to return clickjacking security headers - there is nothing to be clicked in an iframe!
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With