CompTIA PenTest+ Practice Test

Disable ads (and more) with a membership for a one time $2.99 payment

Prepare for the CompTIA PenTest+ Exam with flashcards and multiple choice questions. Each question offers hints and detailed explanations, empowering you for success!

Start Multiple Choice Practice Test
Start Flash Cards

Each practice test/flash card set has 50 randomly selected questions from a bank of over 500. You'll get a new set of questions each time!

Practice this question and more.

What header in HTTP response is used to prevent clickjacking exploits by controlling whether a page can be displayed in frames?

  1. X-Content-Type-Options

  2. X-XSS-Protection

  3. X-Frame-Options

  4. Strict-Transport-Security

The correct answer is: X-Frame-Options

The correct answer is C, as the X-Frame-Options header plays a direct role in mitigating clickjacking attacks by controlling how a webpage can be embedded within frames on other sites. By sending this header in an HTTP response, a website can instruct browsers on whether to allow or deny rendering of the page within a frame. This is crucial because clickjacking exploits take advantage of this ability to overlay transparent frames, tricking users into interacting with content they don’t intend to engage with. When the X-Frame-Options header is set to 'DENY', it prevents any domain from embedding the content in an iframe. Alternatively, setting it to 'SAMEORIGIN' permits framing only from the same origin, which helps safeguard against potential attacks from malicious sites. The other options, while related to security, do not address the specific issue of clickjacking. The X-Content-Type-Options header is used to prevent MIME type sniffing, whereas the X-XSS-Protection header is designed to combat cross-site scripting (XSS) attacks. Strict-Transport-Security protects against man-in-the-middle attacks by enforcing the use of HTTPS. Each of these has its own security role, but they do not provide control over frame embedding

More Questions Like This