-
-
Notifications
You must be signed in to change notification settings - Fork 775
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stop Bypass X-Frame-Options #8324
Comments
@frankchen07 @thelostone-mc @octavioamu Is this something that needs to be handled by nginx? Currently we set This looks like a solid solution: https://github.com/mozilla/django-csp/ If we're all okay with the caveats above, then I have this ready to push, but I'm happy to delete it if it does need to go in the conf, we're better to be safe than sorry when it comes to security configuration. -- I've also tested a more complete (but basic) policy (frame_ancestors & script_src) and a lot of the content is blocked unless I include unsafe-inline and unsafe-eval (because of the way vuejs carries out rendering from a html template). I'll open another issue regarding this because I think we will need to have a discussion around how we go about implementing a more thorough CSP safely. |
Who
When a malicious user can
What
bypass the X-Frame-Options header and create clickjacking on the whole domain
Why
we should stop this in its tracks
Details
Implement Content-Security-Policy: frame-ancestors 'self' is better, because it checks all frame ancestors. We should implement a CSP header to avoid these sort of attacks.
We will also have to add https://content-security-policy.com to the nginx config file.
The text was updated successfully, but these errors were encountered: