False positive: Missing X-Frame-Options HTTP header
alensiljak opened this issue · comments
Alen Šiljak commented
Description of the false positive
In a c# project, we are using NWebsec.AspNetCore.Middleware's (docs) ApplicationBuilderExtensions to set the X-Frame-Options policy. The scanner, however, reports Missing X-Frame-Options HTTP header (cs/web/missing-x-frame-options) as it is only checking the Web.config, I assume.
Any suggestions on mitigation? Thanks!
Code samples or links to source code
//set x-Frame-Options policy="SameOrigin"
app.UseXfo(options => options.SameOrigin());