15 DAYS AGO • 1 MIN READ

(#1) Clickjacking 🦊 And headers to the rescue

profile

pills.dev 💊 weekly coding tips & tricks

Short and juicy 🧃, digestible knowledge pills 💊 for software developers.

Join +2,660 software developers getting weekly tips covering security, quality and system design.

Imagine you are building your amazing website... it has all the great features that make the users happy. They are using it and believe they are fully safe to make the most of it.

But someday... You discover that your system is vulnerable to CLICKJACKING!

- "Bartosz! What does it mean?!"

- "Reader... Look below."

Scary, right? The problem is that clickjacking is a real issue...

Here is how it works:

  1. A user visits some other (evil) website that has some encouraging button to click (like "You won $100"),
  2. This (evil) website has your website EMBEDDED in an invisible iframe,
  3. that user (unaware) clicks the button on YOUR website,
  4. The action is executed on behalf of that (logged) user 😳

You may ask, scared: - "Bartosz! How is this possible?!"

The embedded website may be positioned absolutely in a way that when the user clicks on the proper place at that evil website, the real click happens on the embedded one (not the visible one), potentially executing some sensitive operation. It may be anything, from liking a post, or sending a message, or even sending money in a one-click checkout!

Don't worry! There is an easy way to prevent this kind of "embedding" of your website from happening. You need to send proper HTTP headers while serving your website.

The first way is to use the X-Frame-Options header. The value may be set to DENY or SAMEORIGIN. Look below.

If you choose the value DENY, then no website will be allowed to embed your website. In the case of value SAMEORIGIN, only the pages served from the same origin will be allowed to embed it in frames or iframes. Practically speaking, pages from your domain (with the same port) could embed your website.

The second option is to use the Content Security Policy with the frame-ancestor directive. You can deny embedding with 'none' or list allowed origins!

Example below.

That's all for this week!

We are one step closer to building secure Web applications.

Rate this email:

GREAT 😃 | OKEY 😐 | BAD 😟

Next week 👉 Next tip 💥
Bartosz

Web Security Starter Kit 🚀


Web Security Dev Academy

PS. If you want to chat, then just reply :) There are many interesting challenges to talk about.

pills.dev 💊 weekly coding tips & tricks

Short and juicy 🧃, digestible knowledge pills 💊 for software developers.

Join +2,660 software developers getting weekly tips covering security, quality and system design.

Read more from pills.dev 💊 weekly coding tips & tricks

(#10) Code coverage == body temperature? 🤒

15 DAYS AGO • 1 MIN READ

Discover All Posts