id: missing-x-frame-options

info:
  name: Clickjacking (Missing XFO header)
  author: kurohost
  severity: low

  # This is an valid issue "only" when you able to frame authenticated page with poc to make state changing actions.
  # Without working poc, do not report this.

requests:
  - method: GET
    path:
      - "{{BaseURL}}"

    redirects: true
    max-redirects: 2
    matchers:
      - type: dsl
        dsl:
          - "!contains(tolower(all_headers), 'x-frame-options')"