0

I'm getting an OWASP ZAP Scanning alert:

Medium (Medium)    X-Frame-Options Header Not Set
Description        X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.
URL                https://10.11.12.13/web/network/config.html
Method             GET
Parameter          X-Frame-Options

To fix the alert I set HTTP headers in app.js

$httpProvider.defaults.headers.get['X-Frame-Options'] = 'DENY';

When building a project I get a TypeError

[INFO]  TypeError: 'undefined' is not an object (evaluating '$httpProvider.defaults.headers.get['X-Frame-Options']='DENY'')

Am I doing something wrong? Or is there a different way of fixing the alert?

Boris
  • 22,667
  • 16
  • 50
  • 71
  • 1
    Yes, don't do this kind of stuff inside angular. Do it on the webserver or in a .htaccess file or a web.config file. – MrWook Mar 27 '18 at 06:41

2 Answers2

0

You didn't follow the syntax in the article you linked, which lists:

$httpProvider.defaults.headers.get = { 'My-Header' : 'value' }

So yours should be something like :

$httpProvider.defaults.headers.get = { 'X-Frame-Options' : 'DENY' }

As MrWook suggested that might not be the best option. You should also checkout these answers:

kingthorin
  • 1,419
  • 9
  • 18
0

$httpProvider.defaults is used to set request headers. Leaving aside your error in how you are trying to use it, X-Frame-Options is a response header.

You can't set response headers in Angular: It is a client-side application.

You need to configure your HTTP server (https://10.11.12.13) to include the header.

How you do that depends on which HTTP server software you use. This guide, for example, covers Apache HTTPD and Nginx. You'll need to find documentation for the software you are using.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335