How has use of framing protection security headers changed in the past 3 years?, (Wed, Jun 10th)
This analysis reviews the use of framing protection security headers, specifically X-Frame-Options and Content Security Policy (CSP) frame-ancestors directives, across the 1 million most popular internet domains over the past three years. These headers prevent web pages from being embedded in iframes on other sites, mitigating framing-based phishing attacks such as overlay phishing. The study found that while usage decreased slightly in the top 1,000 domains, overall deployment increased significantly in the top 100,000 and top 1 million domains, with CSP frame-ancestors adoption showing notable growth. Despite improvements, the majority of popular domains still do not implement these headers, leaving users potentially vulnerable to framing attacks. Implementation is straightforward, suggesting room for broader adoption.
AI Analysis
Technical Summary
The report compares data from 2023 and 2026 on the deployment of X-Frame-Options and CSP frame-ancestors headers among the top 1 million domains. Both headers serve to restrict whether a web page can be embedded in an iframe, protecting against framing attacks like overlay phishing. X-Frame-Options is older and limited, with its ALLOW-FROM directive obsolete, while CSP frame-ancestors offers more flexible and modern controls and is preferred by current browsers. The study found that overall usage of these headers increased from 14.4% to 29.7% in the top 1 million domains, with CSP frame-ancestors usage rising from 1.9% to 7.1%. The top 100,000 domains showed similar positive trends. However, the top 1,000 domains saw a slight decline in coverage, likely due to changes in domain composition. The most common directives remain SAMEORIGIN for X-Frame-Options and 'self' for CSP frame-ancestors. The strictest CSP directive 'none' also saw growth. Despite progress, many sites remain unprotected against framing attacks.
Potential Impact
Without these headers, web pages can be embedded in iframes on malicious sites, enabling framing-based phishing attacks such as overlay phishing, where attackers overlay fake login prompts on legitimate sites. This can lead to credential theft and user deception. The lack of widespread adoption of these headers means many users remain exposed to such risks. Increasing use of CSP frame-ancestors and X-Frame-Options reduces this attack surface by instructing browsers to block framing from unauthorized origins.
Mitigation Recommendations
No official patch or fix is applicable as this is a security configuration issue. Organizations should implement either the X-Frame-Options header or, preferably, the CSP frame-ancestors directive to control framing of their web content. Given the straightforward nature of adding these headers (often a single line in server configuration), it is recommended that all web administrators adopt these headers to mitigate framing-based phishing risks. The CSP frame-ancestors directive is the modern recommended approach and offers more flexibility than X-Frame-Options. Both headers can be used simultaneously for compatibility with legacy browsers.
How has use of framing protection security headers changed in the past 3 years?, (Wed, Jun 10th)
Description
This analysis reviews the use of framing protection security headers, specifically X-Frame-Options and Content Security Policy (CSP) frame-ancestors directives, across the 1 million most popular internet domains over the past three years. These headers prevent web pages from being embedded in iframes on other sites, mitigating framing-based phishing attacks such as overlay phishing. The study found that while usage decreased slightly in the top 1,000 domains, overall deployment increased significantly in the top 100,000 and top 1 million domains, with CSP frame-ancestors adoption showing notable growth. Despite improvements, the majority of popular domains still do not implement these headers, leaving users potentially vulnerable to framing attacks. Implementation is straightforward, suggesting room for broader adoption.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The report compares data from 2023 and 2026 on the deployment of X-Frame-Options and CSP frame-ancestors headers among the top 1 million domains. Both headers serve to restrict whether a web page can be embedded in an iframe, protecting against framing attacks like overlay phishing. X-Frame-Options is older and limited, with its ALLOW-FROM directive obsolete, while CSP frame-ancestors offers more flexible and modern controls and is preferred by current browsers. The study found that overall usage of these headers increased from 14.4% to 29.7% in the top 1 million domains, with CSP frame-ancestors usage rising from 1.9% to 7.1%. The top 100,000 domains showed similar positive trends. However, the top 1,000 domains saw a slight decline in coverage, likely due to changes in domain composition. The most common directives remain SAMEORIGIN for X-Frame-Options and 'self' for CSP frame-ancestors. The strictest CSP directive 'none' also saw growth. Despite progress, many sites remain unprotected against framing attacks.
Potential Impact
Without these headers, web pages can be embedded in iframes on malicious sites, enabling framing-based phishing attacks such as overlay phishing, where attackers overlay fake login prompts on legitimate sites. This can lead to credential theft and user deception. The lack of widespread adoption of these headers means many users remain exposed to such risks. Increasing use of CSP frame-ancestors and X-Frame-Options reduces this attack surface by instructing browsers to block framing from unauthorized origins.
Mitigation Recommendations
No official patch or fix is applicable as this is a security configuration issue. Organizations should implement either the X-Frame-Options header or, preferably, the CSP frame-ancestors directive to control framing of their web content. Given the straightforward nature of adding these headers (often a single line in server configuration), it is recommended that all web administrators adopt these headers to mitigate framing-based phishing risks. The CSP frame-ancestors directive is the modern recommended approach and offers more flexibility than X-Frame-Options. Both headers can be used simultaneously for compatibility with legacy browsers.
Technical Details
- Article Source
- {"url":"https://isc.sans.edu/diary/rss/33068","fetched":true,"fetchedAt":"2026-06-10T08:25:47.341Z","wordCount":1619}
Threat ID: 6a291f8b8dd33fbd850be1da
Added to database: 6/10/2026, 8:25:47 AM
Last enriched: 6/10/2026, 8:25:58 AM
Last updated: 6/10/2026, 8:26:01 AM
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.