ASVS Requirement 3.4.6

• Level: 2
• Chapter: V3 Web Frontend Security
• Section: V3.4 Browser Security Mechanism Headers
• Source: 0x12-V3-Web-Frontend-Security.md

Description

Verify that the web application uses the frame-ancestors directive of the Content-Security-Policy header field for every HTTP response to ensure that it cannot be embedded by default and that embedding of specific resources is allowed only when necessary. Note that the X-Frame-Options header field, although supported by browsers, is obsolete and may not be relied upon.