Uploaded image for project: 'Service Design and Creation'
  1. Service Design and Creation
  2. SDC-4192

X-Frame-Options not configured: Lack of clickjacking protection

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Medium Medium
    • London Release
    • Kohn Release
    • SDC
    • None

      As part of security scans it came up that the SDC UI may be susceptible to clickjacking as X-Frame-Options" is not enabled

      Severity Medium
      Impact/Threat X-Frame-Options is not configured on some interfaces
      Description A XSS attack may be possible if "X-Frame-Options" is not enabled on the webserver.
      Solution/Mitigation Employ defensive code in the UI to ensure that the current frame is the most top level window. Send the proper X-Frame-Options in the HTTP response headers that instruct the browser to not allow framing from other domains.
      More Information see attached screenshot

        1. image-2022-09-22-11-58-19-578.png
          image-2022-09-22-11-58-19-578.png
          306 kB

            vasraz vasraz
            vasraz vasraz
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: