-
Bug
-
Resolution: Done
-
Medium
-
Kohn Release
-
None
As part of security scans it came up that the SDC UI may be susceptible to clickjacking as X-Frame-Options" is not enabled
Severity | Medium |
Impact/Threat | X-Frame-Options is not configured on some interfaces |
Description | A XSS attack may be possible if "X-Frame-Options" is not enabled on the webserver. |
Solution/Mitigation | Employ defensive code in the UI to ensure that the current frame is the most top level window. Send the proper X-Frame-Options in the HTTP response headers that instruct the browser to not allow framing from other domains. |
More Information | see attached screenshot |