X-Frame-Options for full page results?


We ran an application vulnerability scanner on our web app that uses MiniProfiler. It came back with minor clickjacking vulnerability on the MiniProfiler result page because that page doesn’t specify an X-Frame-Options header (or use a JS framebusting script). I’ve looked at the source code and see how this could be easily added. I’m willing to write this and create the pull request, but first I wanted to start this discussion.

  1. Are there any side-effects for including this header? I can’t imagine wanting to frame in a MiniProfile result page, but that doesn’t mean someone won’t want to. This seems like an easy add with little impact, but I may have overlooked something.
  2. Should the header be configurable in MiniProfiler settings? If so, how (on/off, specify what option you want, etc)?
  3. What else am I missing?

Extra info - we enable MiniProfiler for admin users and ran the scan with admin credentials. MiniProfiler isn’t available for all users.