Four endpoints with different framing policies. Check which ones are missing X-Frame-Options and Content-Security-Policy headers, then see the unprotected page load live inside a hostile iframe.
An attacker embeds the target page inside a transparent <iframe> layered over a decoy page. The victim sees the decoy but their clicks land on the invisible target — deleting accounts, confirming purchases, or changing passwords without consent. The fix is one response header: X-Frame-Options: DENY or Content-Security-Policy: frame-ancestors 'none'.
| Bug Found | Unprotected endpoint — no framing header present, embeddable from any origin |
| True Positive | X-Frame-Options: DENY — browser refuses to render the page in any iframe |
| True Positive | X-Frame-Options: SAMEORIGIN — blocks cross-origin framing, allows same-origin |
| True Positive | Content-Security-Policy: frame-ancestors 'none' — modern equivalent of DENY |
| Bug Found | Live iframe demo — unprotected page loads inside an embedded iframe, demonstrating the attack surface |
Fetches the endpoint and inspects the response headers. An endpoint with no framing protection can be embedded in an iframe on any domain.
✗ No framing headersThe strongest framing restriction. The browser refuses to render this page in any iframe regardless of the requesting origin — including the same domain.
✓ X-Frame-Options: DENYAllows framing from the same origin only. Any attempt to embed this page from a different domain is blocked. Weaker than DENY but suitable when the app itself needs to embed the page.
✓ X-Frame-Options: SAMEORIGINThe modern replacement for X-Frame-Options. The Content-Security-Policy directive frame-ancestors 'none' blocks all framing and supersedes X-Frame-Options in browsers that support CSP Level 2.
Embeds the unprotected endpoint inside a real iframe. In a real attack, this iframe would be made transparent and positioned over a decoy page — the victim clicks what they think is the attacker's button but actually activates the action below.
✗ Unprotected — embeds successfullyX-Frame-Options or Content-Security-Policy framing directive. Any origin can embed this page (bug found).X-Frame-Options: DENY header is present. The browser blocks framing from all origins including the same domain (true positive — strongest protection).X-Frame-Options: SAMEORIGIN header is present. The browser allows framing from the same origin only; any other domain is blocked (true positive — partial protection).Content-Security-Policy: frame-ancestors 'none'. This is the modern CSP-based equivalent of DENY and supersedes X-Frame-Options in compliant browsers (true positive).