CAS-003 Question #491: Real Exam Question with Answer & Explanation

The correct answer is C: X-Frame-Options header. Clickjacking (also called UI redress attacks) works by embedding a target web page inside an invisible iframe on a malicious site, tricking users into clicking elements they cannot see. The X-Frame-Options HTTP response header instructs browsers to refuse to render the page insid

Question

A recent security assessment revealed a web application may be vulnerable to clickjacking. According to the application developers, a fix may be months away. Which of the following should a security engineer configure on the web server to help mitigate the issue?

Options

AFile upload size limits
BHttpOnly cookie field
CX-Frame-Options header
DInput validation

Explanation

Clickjacking (also called UI redress attacks) works by embedding a target web page inside an invisible iframe on a malicious site, tricking users into clicking elements they cannot see. The X-Frame-Options HTTP response header instructs browsers to refuse to render the page inside a frame or iframe, directly blocking this attack vector. It can be set to DENY (no framing allowed) or SAMEORIGIN (only same-origin framing permitted). This is a server-side mitigation that can be applied immediately without changing application code, making it ideal while the developers work on a permanent fix. File upload size limits (A) protect against resource exhaustion, not clickjacking. The HttpOnly cookie flag (B) prevents JavaScript from accessing cookies, mitigating session hijacking via XSS, not clickjacking. Input validation (D) defends against injection attacks.

Community Discussion

No community discussion yet for this question.

Full CAS-003 Practice