Hi, I should have read that properly, it's not a matter of html, but http response... So I added x-frame-options=SAMEORIGIN to the headers that are added by IIS (in my case) to the response, and I should be hopefully fine.
Bye, Petr -----Original Message----- From: Petr Nemecek [mailto:[email protected]] Sent: Tuesday, March 04, 2014 7:30 PM To: [email protected] Subject: Qualys scan/X-Frame-Options Hi all, one of our clients run Qualys scan on our app. The only finding was see below. The html file is the file that is automatically generated by Flash Builder during the compilation. I assume I will have to add some code into the html. Any idea how to cope with that automatically? I.e. not to have to edit the html manually whenever I export a new release. Many thanks, Petr ************************************ URL: https://www.abc.de/app/app.html Finding # 326356057 First Time Detected 15 Feb 2014 04:07 GMT+0200 Group Information Disclosure Last Time Detected 15 Feb 2014 04:07 GMT+0200 CWE - Last Time Tested 15 Feb 2014 04:07 GMT+0200 OWASP - Times Detected 1 WASC - CVSS Base - CVSS Temporal- Details Threat The page can be easily framed. Anti-framing measures are not used. Impact Clickjacking and Cross-Site Request Forgery (CSRF) can be performed by framing the target site. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons. Solution Two of the most popular prevention are: X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page. Framekiller: JavaScript code that prevents the malicious user from framing the page. ************************************
