Using embedded frames in web pages to leech or redirect traffic is quite common and can also be used for XSS attacks. If you are affected, you can solve this issue by setting the X-Frame-Options in the HTTP response header. This solution only works for browsers that support X-Frame-Options.
The X-Frame-Options HTTP response header is used to indicate to the browser whether a page can be displayed in a ,
Using the X-Frame-Options attribute in the HTTP response header
The X-Frame-Options attribute parameters are:
DENY: Indicates that the page should not be displayed in a frame, even if it is nested in a page with the same domain.
SAMEORIGIN: Indicates that the page can be displayed in a frame within a page with the same domain.
ALLOW-FROM: Indicates that the page can be displayed in a frame from a specified source.
If you don't use frames yourself but want to prevent others from using frames, you can set it to DENY. If you use frames yourself but want to prevent others from using frames, you can set it to SAMEORIGIN.
Add the following to the Nginx configuration:
add_header X-Frame-Options SAMEORIGIN;
Add the following to the Haproxy configuration:
rspadd X-Frame-Options:\ SAMEORIGIN
This effectively prevents XSS attacks from frames.
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options