Some time ago, I was working on a project where I had to fix an issue that was raised by our OWASP Zap scanner, which is a free security tool that runs in the test phase of the Jenkins build of the project. It checks for security vulnerabilities that you want to prevent from going to Production.
The error / warning that was raised looked like this:
X-Frame-Options header is not included in the HTTP response to protect against ‘ClickJacking’ attacks.
That’s pretty generic and anything could’ve cause that. The odd thing was that we actually had anti-clickjacking libraries in place for our service, so where was this coming from?