X-Frame-Options test is a litle bit excessive.
Seems Arachni only agree when X-Frame-Options is set to DENY.
To my mind it must only complains when X-Frame-Options is
missing or is set to 'ALLOW-FROM'
and not warn us when header set to 'DENY' or 'SAMEORIGIN'
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 10 Feb, 2016 10:05 AM
Judging from the code, it should only be logging it when missing.
If you could show me the logged headers or better yet send me the AFR report (in private) that'd be very helpful.
Also, which version and OS are you using?
Cheers
2 Posted by sebastien.aucou... on 10 Feb, 2016 10:38 AM
Hi Tasos.
you're right, my analyse was bad.
So i go deeper, and found that arachni complains on a ' 404 Not Found' page crawled where X-Frame-Options is missing.
Linux arachni-1.3.2-0.5.9
Support Staff 3 Posted by Tasos Laskos on 10 Feb, 2016 10:39 AM
No problem.
Btw, better try the new version, you're one behind.
Cheers
Tasos Laskos closed this discussion on 10 Feb, 2016 10:39 AM.