Is it Meaningful to Add 'x-frame-options' in an Restful API

api rest x-frame-options clickjacking
Uğurcan Şengit picture Uğurcan Şengit · Dec 2, 2015 · Viewed 8.3k times · Source

We are developing a restful API that fulfills some various events. We have done a Nessus vulnerability scan to see security leaks. It turned out that we have some leaks leads to clickjacking and we have found the solution. I have added x-frame-options as SAMEORIGINin order to handle problems.

My question here is that, since I am an API, do I need to handle clickjacking? I guess 3rd party user should be able to reach my API over an iframe and I don't need to handle this.

Do I miss something? Could you please share your ideas?

Answer

nickspoon picture nickspoon · Dec 18, 2015

Edit 2019-10-07: @Taytay's PR has been merged, so the OWASP recommendation now says that the server should send an X-Frame-Options header.

Original answer:

OWASP recommends that clients send an X-Frame-Options header, but makes no mention of the API itself.

I see no scenario where it makes any sense for the API to return clickjacking security headers - there is nothing to be clicked in an iframe!

Related questions

How do I make calls to a REST API using C#?

This is the code I have so far: using System; using System.Collections.Generic; using System.Linq; using System.Text; using System; using System.Net.Http; using System.Web; using System.Net; using System.IO; namespace ConsoleProgram { public class Class1 { …

Read More
How do you set the Content-Type header for an HttpClient request?

I'm trying to set the Content-Type header of an HttpClient object as required by an API I am calling. I tried setting the Content-Type like below: using (var httpClient = new HttpClient()) { httpClient.BaseAddress = new Uri("http://example.com/"); httpClient.DefaultRequestHeaders.…

Read More
REST API Best practices: Where to put parameters?

A REST API can have parameters in at least two ways: As part of the URL-path (i.e. /api/resource/parametervalue ) As a query argument (i.e. /api/resource?parameter=value ) What is the best practice here? Are there any …

Read More