I am trying to fix a vulnerability found during a penetration scan. I need to correct the X-Frame-Options response header and set it to DENY so that the webpage is unable to be opened in a frame. I found this page:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
That says to add this to the <system.webServer> section.
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
to my web.config file. It looked straightforward enough, so I found that section and added that to the web.config file and still getting the alert when I run the penetration test after the change was made.
I need to know if there is something else I need to do in order for this to be set correctly.