Skip to content

Missing Headers > Clickjacking vulnerability #43

Description

@jonesbaraza

We received a report on potential clickjacking vulnerability due to missing headers that allow a threat actor to embed the website or load it in an iframe from a different domain. While this is not a critical security risk, it would be great to control who can embed or use iframes on our websites. Also, the solution is pretty simple, adding some security headers. I will explain below what clickjacking is about, and how we can solve this easily.

Clickjacking
Also known as a UI redress attack, is a web-based attack where an attacker tricks a user into clicking on something different from what they perceive, potentially leading to unintended actions. This is usually done by embedding an invisible or disguised element within a webpage, making the user believe they are interacting with a legitimate button, link, or form while actually performing an action controlled by the attacker.

In terms of severity, its impact is relatively low as it is a client-side vulnerability.

Solution
I am aware that we may need to have some of our websites embedded in others or loaded over iFrames. For such cases, I propose we use X-Frame-Options.

To allow example.com to embed or load our website over an iframe, we could use:
Content-Security-Policy: frame-ancestors 'self' https://example.com;

If dealing with multiple websites, we could use:
Content-Security-Policy: frame-ancestors 'self' https://example.com https://partner.com;

And if we want to completely prevent any website from embedding our links or loading our website over an iFrame, we could use:
Content-Security-Policy: frame-ancestors 'none'; or a legacy method X-Frame-Options: DENY

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions