Loading controls...

Control: Site headers must contain X-Frame-Options

Description

X-Frame-Options header helps to prevent Clickjacking attacks. The Deep Security Manager enforces the SAMEORIGIN value for this header, only allowing it to be embedded in web applications that are hosted on the same domain.

Usage

Run the control in your terminal:

steampipe check net_insights.control.security_headers_x_frame_options

Snapshot and share results via Steampipe Cloud:

steampipe login
steampipe check --share net_insights.control.security_headers_x_frame_options

Plugins & Tables

net_http_request

Params

Args	Name	Default	Description	Variable
$1	website_urls	`["https://github.com","https://microsoft.com"]`	Website URLs.	website_urls

SQL

with available_headers as (
  select
    url,
    array_agg(header.key)
  from
    net_http_request,
    jsonb_each(response_headers) as header
  where
    url in (
      select
        jsonb_array_elements_text(to_jsonb($1 :: text [ ]))
    )
  group by
    url
)
select
  url as resource,
  case
    when array [ 'X-Frame-Options' ] < @ array_agg then 'ok'
    else 'alarm'
  end as status,
  case
    when array [ 'X-Frame-Options' ] < @ array_agg then url || ' contains required headers ''X-Frame-Options''.'
    else url || ' missing required headers ''X-Frame-Options''.'
  end as reason
from
  available_headers;

turbot/net_insights

Control: Site headers must contain X-Frame-Options

Description

Usage

Plugins & Tables

Params

SQL

Steampipe

Resources

Community