New insecure check: X-Frame-Options (Incorrect Values)

README.md

@@ -48,7 +48,7 @@ HTTP Headers Analyzer<br />
 
 :heavy_check_mark: 13 [checks](#checks-missing-headers) of missing HTTP response headers.<br />
 :heavy_check_mark: 746 [checks](#checks-fingerprint-headers) of fingerprinting through HTTP response headers.<br />
-:heavy_check_mark: 59 [checks](#checks-deprecated-headersprotocols-and-insecure-values) of deprecated HTTP response headers/protocols or with values considered insecure.<br />
+:heavy_check_mark: 60 [checks](#checks-deprecated-headersprotocols-and-insecure-values) of deprecated HTTP response headers/protocols or with values considered insecure.<br />
 :heavy_check_mark: Browser compatibility check for enabled security headers.<br />
 :heavy_check_mark: Two types of analysis: brief and detailed, along with HTTP response headers.<br />
 :heavy_check_mark: Export of analysis to HTML5, PDF 1.4 and TXT.<br />

details.txt

@@ -297,6 +297,9 @@
 [ixfod_h]
  X-Frame-Options (Deprecated Values)
 
+[ixfoi_h]
+ X-Frame-Options (Incorrect Values)
+
 [ixpad_h]
  X-Pad (Deprecated Header)
 
@@ -642,6 +645,11 @@ Articles that may be useful to secure servers/services and enable security HTTP
  Replace this header with the Content-Security-Policy 'frame-ancestors' directive.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
 
+[ixfodi]
+ The only values allowed for this header are "DENY" or "SAMEORIGIN".
+ Replace this header with the Content-Security-Policy 'frame-ancestors' directive.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+
 [ixpad]
  This header is deprecated since 2008.
  Ref: https://stackoverflow.com/questions/8711584/x-pad-avoid-browser-bug-header-added-by-apache

details_es.txt

@@ -297,6 +297,9 @@
 [ixfod_h]
  X-Frame-Options (Valor obsoleto)
 
+[ixfoi_h]
+ X-Frame-Options (Valores incorrectos)
+
 [ixpad_h]
  X-Pad (Cabecera obsoleta)
 
@@ -634,12 +637,17 @@ Referencias que pueden ser utilidad para securizar servidores y habilitar cabece
 
 [ixfo]
  Esta cabecera, o sus valores, pueden estar duplicados.
- Mejor aún: sustituya esta cabecera por la directiva 'frame-ancestors' de Content-Security-Policy.
+ Consejo: sustituya esta cabecera por la directiva 'frame-ancestors' de Content-Security-Policy.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
 
 [ixfod]
  "ALLOW-FROM" no está soportado en los navegadores actuales.
- Sustituya esta cabecera por la directiva 'frame-ancestors' de Content-Security-Policy.
+ Consejo: sustituya esta cabecera por la directiva 'frame-ancestors' de Content-Security-Policy.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+
+[ixfodi]
+ Los únicos valores permitidos en esta cabeceras son "DENY" o "SAMEORIGIN".
+ Consejo: sustituya esta cabecera por la directiva 'frame-ancestors' de Content-Security-Policy.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
 
 [ixpad]

humble.py

@@ -61,7 +61,7 @@
 SEC_S = "https://"
 URL_S = ' URL  : '
 
-version = '\r\n' + '(v. 2023-05-06)' + '\r\n'
+version = '\r\n' + '(v. 2023-05-12)' + '\r\n'
 now = datetime.now().strftime("%Y/%m/%d - %H:%M:%S")
 
 
@@ -920,6 +920,8 @@ def request_exceptions():
         print_details('[ixfo_h]', '[ixfo]', 'm', i_cnt)
     if 'allow-from' in xfo_header:
         print_details('[ixfod_h]', '[ixfod]', 'm', i_cnt)
+    if xfo_header not in ['deny', 'sameorigin']:
+        print_details('[ixfoi_h]', '[ixfodi]', 'm', i_cnt)
 
 if 'X-Pad' in headers:
     print_details('[ixpad_h]', '[ixpad]', 'd', i_cnt)

insecure.txt

@@ -46,6 +46,7 @@ X-DNS-Prefetch-Control: Potentially Unsafe Header
 X-Download-Options: Deprecated Header
 X-Frame-Options: Deprecated Values
 X-Frame-Options: Duplicated Values
+X-Frame-Options: Incorrect Values
 X-Pad: Deprecated Header
 X-Permitted-Cross-Domain-Policies: Unsafe Value
 X-Pingback: Unsafe Value