x-frame-options error on css files

[Steven Gullion]

Newbie question (first day using ZAP):

I keep getting X-Frame-Options Header Not Set errors on CSS files, javascript files, images, etc. 

Is this really a vulnerability? Is there even a way to add the header on resource files? 

I'm working on a .Net MVC3 app, and I'm adding the header via a filter in Global.asax, but I can't find a way to add it to every file served.

[kingthorin+owaspzap]

You can definitely configure the server to add a header to any response you like, just one example of a solution: https://technet.microsoft.com/en-us/library/cc753133%28v=ws.10%29.aspx

Is it really a vulnerability? That's an assessment you or a penetration tester need to make. On css and js probably not (depends how they're used and what having access to them might mean), on images hard to say...if they're dynamically generated (charts or graphs or something) then you're opening yourself up to DoS by a third party framing the same thing 100s of times (csrf style). They could all lead to some sort of info leak based on various known (or future unknown) browser history or cache disclosure vulns [if a 3rd party can frame a css or js that's specific to admin users and then read your history or cache related to the item.....], etc.

[Steven Gullion]

Thanks. I would have preferred an MVC way, but doing it in IIS works.

As far as "Is this a vulnerability?", I guess I should consider scanning results to be like X-Rays : meaningless until interpreted by an expert? Is that a fair statement? The problem is that I have third parties scanning my sites and all they know is that the scanners report vulnerabilities. 

[kingthorin+owaspzap]

As I said that's just one example of how you might address the issue, there is almost definitely other ways as well.

Yes, that's a good analogy (xrays).