Hi,I am using haproxy 1.5.9 and apache 2.2.22 app servers behind it I am trying to run some pen testing using burp suite pro on my application and this one issue keeps showing up "Frameable response (potential Clickjacking)" I tried to resolve it by adding the following lines to the https frontend in my haproxy.cfg rspadd Strict-Transport-Security:\ max-age=16070400;\ includeSubDomains rspadd X-Frame-Options:\ SAMEORIGIN rspadd X-XSS-Protection:\ 1;\ mode=block rspadd X-Content-Type-Options:\ nosniff
but it keeps coming back with the same vulnerability "Frameable response (potential Clickjacking)" when i check my browser using firebug or developer tools i can see that the response header is set correctly | Cache-Control | no-store, no-cache, must-revalidate, post-check=0, pre-check=0 | | Content-Encoding | gzip | | Content-Length | 6811 | | Content-Type | text/html | | Date | Wed, 04 Feb 2015 19:05:36 GMT | | Expires | Thu, 19 Nov 1981 08:52:00 GMT | | Pragma | no-cache | | Server | Apache/2.2.22 (Ubuntu) | | Strict-Transport-Security | max-age=16070400; includeSubDomains | | Vary | Accept-Encoding | | X-Content-Type-Options | nosniff | | X-Frame-Options | SAMEORIGIN | | X-XSS-Protection | 1; mode=block | but when i check the reponse in burp suite i see HTTP/1.1 200 OK Date: Tue, 03 Feb 2015 21:27:29 GMT Server: Apache Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Length: 3408 Content-Type: text/html how is that possible? can anyone shed some light
