X-Frame-Options for full page results?


#1

We ran an application vulnerability scanner on our web app that uses MiniProfiler. It came back with minor clickjacking vulnerability on the MiniProfiler result page because that page doesn’t specify an X-Frame-Options header (or use a JS framebusting script). I’ve looked at the source code and see how this could be easily added. I’m willing to write this and create the pull request, but first I wanted to start this discussion.

  1. Are there any side-effects for including this header? I can’t imagine wanting to frame in a MiniProfile result page, but that doesn’t mean someone won’t want to. This seems like an easy add with little impact, but I may have overlooked something.
  2. Should the header be configurable in MiniProfiler settings? If so, how (on/off, specify what option you want, etc)?
  3. What else am I missing?

Extra info - we enable MiniProfiler for admin users and ran the scan with admin credentials. MiniProfiler isn’t available for all users.