Skip to content
This repository has been archived by the owner on Jan 7, 2020. It is now read-only.

Implement X-Frame-Options header to mitigate Clickjacking #779

Open
harshc opened this issue May 10, 2018 · 0 comments
Open

Implement X-Frame-Options header to mitigate Clickjacking #779

harshc opened this issue May 10, 2018 · 0 comments

Comments

@harshc
Copy link

harshc commented May 10, 2018
edited
Loading

Running security scans on our Uchiwa deployments we found that the webserver is vulnerable to clickjacking
http://www.nessus.org/u?399b1f56
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
http://en.wikipedia.org/wiki/Clickjacking

Particularly in our scans
/bower_components/uchiwa-web/partials/login/ was the page that was scanned and was identified as not having the appropriate response headers.

Expected Behavior

Webserver should mitigate Clickjacking attacks.

Current Behavior

Missing the remediation for Clickjacking

Possible Solution

There are multiple solutions as outlined here
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
One of the simplest options is to enable the X-Frame-Options response header.

Context

In our security and compliance auditing, we ran security scans using Nessus scanner and identified this as a potential issue.

Your Environment

  • Uchiwa version used: 0.14.2
  • sensu_wrapper::version: '0.3.2'
  • sensu_plugin_version: "1.2.0"
  • sensu::version: "0.25.3-1"
  • Operating System and version (e.g. Ubuntu 14.04): CentOS 6/7
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@harshc