The frame-src CSP directive which decides what sources can be used in a frame on a page. But on the other side, the x-frame option header will regulate what other pages can use that page in an iframe. So if a resource is delivered with an policy that includes a directive named frame-ancestors. So whose disposition is “enforce”. Because the X-Frame-Options header MUST be ignored”. Because Chrome 40 & Firefox 35 ignore the frame-ancestors directive and follow the X-Frame-Options header instead.

X-Frame-Options (XFO), which is a header that helps to protect website visitors against clickjacking attacks. So it is recommended that to use the X-Frame-Options header on pages which should not be allowed to render a page in a frame. So looking at the frame-ancestors directive, it allows  to specify which parent URLs can frame the current resource. Using the frame-ancestors CSP directive we can block or allow a page from being placed within a frame or iframe.

 Environment:  Tested in Apache Web Server 2.4, Browse the URL and Look at the Response Header and one can see CSP and XFO info.

Solution

Setting the frame-ancestors is one of the best way to prevent clickjacking.

In HTTP Header set, Content-Security-Policy: frame-ancestors.

Browse the URL and Look at your Response Header and you will see CSP-ancestors implimented info.

Conclusion

Fixing csp frame-ancestors alone is not going to protect your website from all the security threats. Ensure to follow Web Application security checklist and leverage eCyLabs Web Application Firewall could protect from this kind of issues at the Firewall level.

---

Leverage eCyLabs ASPM to get 360 degree view of your application security posture from code to cloud. Our Marketplace approach is cost-effective and efficient way for security and compliance monitoring.