Description
We received a report on potential clickjacking vulnerability due to missing headers that allow a threat actor to embed the website or load it in an iframe from a different domain. While this is not a critical security risk, it would be great to control who can embed or use iframes on our websites. Also, the solution is pretty simple, adding some security headers. I will explain below what clickjacking is about, and how we can solve this easily.
Clickjacking
Also known as a UI redress attack, is a web-based attack where an attacker tricks a user into clicking on something different from what they perceive, potentially leading to unintended actions. This is usually done by embedding an invisible or disguised element within a webpage, making the user believe they are interacting with a legitimate button, link, or form while actually performing an action controlled by the attacker.
In terms of severity, its impact is relatively low as it is a client-side vulnerability.
Solution
I am aware that we may need to have some of our websites embedded in others or loaded over iFrames. For such cases, I propose we use X-Frame-Options.
To allow example.com to embed or load our website over an iframe, we could use:
Content-Security-Policy: frame-ancestors 'self' https://example.com;
If dealing with multiple websites, we could use:
Content-Security-Policy: frame-ancestors 'self' https://example.com https://partner.com;
And if we want to completely prevent any website from embedding our links or loading our website over an iFrame, we could use:
Content-Security-Policy: frame-ancestors 'none'; or a legacy method X-Frame-Options: DENY