x-frame-options broken in 7.4?

GaryMclean · ‎02-18-2018

Just upgraded to 7.4 and It seems even though its on by default, x-frame-options header is no longer being sent from the Security server. Anyone else seen this?

You can test here https://securityheaders.io/

sunil_yadav_00 · ‎02-23-2018

I have the same issue, no matter what directive I put in the locked properties file for x-frames-options it never shows up using fiddler or checking against securityheaders.io. Support said this is expected but I don't think so, it needs to pass the header to the browser to give the browsers the directive and our security will not pass this.

I tried both and none show up.

x-frame-options = deny

x-frame-options = sameorigin

sunil_yadav_00 · ‎02-26-2018

Found the issue after more testing. The UAG will only send either the CSP or x-frames-options based on what the client supports. For example if you are using a modern browser, the security gw will only send CSP headers, if you use an an older browser that does not support CSP v2 like IE edge you will get the x-frames-options header. You will not receive both headers anymore. Test with using IE edge and chrome and doing a packet capture with fiddler.

All

x-frame-options broken in 7.4?