Question

A recent security assessment revealed a web application may be vulnerable to clickjacking. According to the application developers, a fix may be months away.

Which of the following should a security engineer configure on the web server to help mitigate the issue?

A. File upload size limits
B. HttpOnly cookie field
C. X-Frame-Options header
D. Input validation

Answer 1

The X-Frame-Options header should be configured on the web server to mitigate clickjacking vulnerabilities.

Step-by-step explanation:

To help mitigate clickjacking vulnerabilities on a web server, a security engineer should configure the X-Frame-Options header. This header allows the web server to specify whether the page can be loaded in a frame or iframe. By setting this header to 'DENY' or 'SAMEORIGIN', the web application can prevent other websites from embedding it within their frames, thus reducing the risk of clickjacking.

File upload size limits and input validation are important security measures, but they are not directly related to clickjacking vulnerabilities. The HttpOnly cookie field is a security measure to prevent client-side JavaScript from accessing the cookie, but it does not mitigate clickjacking.