Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Hans 8 posts 118 karma points
    Feb 09, 2023 @ 22:01
    Hans
    0

    warning message on security scan - x-frame-options is duplicated

    Hi everyone! Hopefully someone can help me!

    I wanted to ask for help to solve a problem I have when running a security scanner on my website.

    I get the following error:

    X-Frame-Options -> There was a duplicate X-Frame-Options header.

    I have correctly configured my Web.Config file, however, the error keeps popping up.

    do you have any idea why this is happening?enter image description here

  • Dave Woestenborghs 3504 posts 12135 karma points MVP 9x admin c-trib
    Feb 10, 2023 @ 08:32
    Dave Woestenborghs
    0

    Hi Hans,

    Does this page have a Umbraco Form or a Form on it use a anti forgery token ?

    Dave

  • Hans 8 posts 118 karma points
    Feb 10, 2023 @ 13:33
    Hans
    0

    Hi Dave, thanks for the reply!

    Yes, the website have a simple form with reCAPTCA. Will this cause any conflict?

  • Hans 8 posts 118 karma points
    Feb 13, 2023 @ 14:11
    Hans
    0

    Yes Dave, in one page used @Html.AntiForgeryToken().

  • Dave Woestenborghs 3504 posts 12135 karma points MVP 9x admin c-trib
    Feb 13, 2023 @ 14:28
    Dave Woestenborghs
    100

    Hi Hans,

    Using @Html.AntiForgeryToken will add a X-Frame-Options header to your response.

    What version of Umbraco are you using ?

    Dave

  • Hans 8 posts 118 karma points
    Feb 14, 2023 @ 12:21
    Hans
    100

    Hi Dave! You are right.

    enter image description here

    I have added this line in my code (Startup.cs), so that the @html.antiforgerytoken() does not add any new X-Frame-Options.

    Thanks Dave, for helping me!

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Feb 10, 2023 @ 08:38
    Huw Reddick
    0

    Also check in your startup.cs file to see if you have this code

    app.UseXfo(options => options.SameOrigin());
    

    with .netcore you don't need to set it in the web.config necesarilary.

  • Hans 8 posts 118 karma points
    Feb 10, 2023 @ 13:47
    Hans
    0

    Hi Huw Reddick, thanks for the reply!

    In my startup.cs file, I don't have this line of code.

    Do you think I need this line in my code?

  • Huw Reddick 1929 posts 6697 karma points MVP 2x c-trib
    Feb 10, 2023 @ 13:55
    Huw Reddick
    0

    I believe the prefered method in .net core it to do it in program/startup rather than in web.config

    Doing it in Umbraco https://docs.umbraco.com/umbraco-cms/extending/health-check/guides/clickjackingprotection

Please Sign in or register to post replies

Write your reply to:

Draft