Home → Suggestions →

X-Frame-Options test is a litle bit excessive.

• Edit

sebastien.aucouturier

10 Feb, 2016 09:59 AM

Seems Arachni only agree when X-Frame-Options is set to DENY.

To my mind it must only complains when X-Frame-Options is missing or is set to 'ALLOW-FROM'
and not warn us when header set to 'DENY' or 'SAMEORIGIN'

1. Support Staff 1 Posted by Tasos Laskos on 10 Feb, 2016 10:05 AM

   

   Judging from the code, it should only be logging it when missing.
   If you could show me the logged headers or better yet send me the AFR report (in private) that'd be very helpful.

   Also, which version and OS are you using?

   Cheers

   • Edit

2. 2 Posted by sebastien.aucou... on 10 Feb, 2016 10:38 AM

   

   Hi Tasos.

   you're right, my analyse was bad.
   So i go deeper, and found that arachni complains on a ' 404 Not Found' page crawled where X-Frame-Options is missing.

   Linux arachni-1.3.2-0.5.9

   • Edit

3. Support Staff 3 Posted by Tasos Laskos on 10 Feb, 2016 10:39 AM

   

   No problem.

   Btw, better try the new version, you're one behind.

   Cheers

   • Edit

4. Tasos Laskos closed this discussion on 10 Feb, 2016 10:39 AM.