Stackle icon indicating copy to clipboard operation
Stackle copied to clipboard
verified publisher icon scorelab

X-Frame-Options Header Not Set On Stackle App

Open thishnika opened this issue 4 years ago • 0 comments

Fixes CWE-16, CWE-601 & WASC-15 vulnerabilities on Stackle-app

Changes proposed in the pull request

In the HTTP response header of the Stackle application, set X-Frame-Options parameter as below.

X-Frame-Options: DENY

Impact

The page cannot be displayed in a frame, regardless of the site attempting to do so.

Other information

References

  1. https://owasp.org/www-community/attacks/Clickjacking
  2. https://cwe.mitre.org/data/definitions/16.html
  3. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
  4. https://www.imperva.com/learn/application-security/clickjacking/#:~:text=Clickjacking%20is%20an%20attack%20that,or%20disguised%20as%20another%20element.&text=Typically%2C%20clickjacking%20is%20performed%20by,the%20page%20the%20user%20sees.
  5. https://javascript.info/clickjacking

thishnika avatar May 26 '21 21:05 thishnika