kosalag
commented
4 years ago Add annotation to ingress nginx.ingress.kubernetes.io/server-snippet: | add_header X-Frame-Options "DENY";
Closed YujithIsura closed 4 years ago
kosalag
commented
4 years ago Add annotation to ingress nginx.ingress.kubernetes.io/server-snippet: | add_header X-Frame-Options "DENY";
MrClemRkz
commented
4 years ago fixed for both frontend and backend admin.
The website is vulnerable to click jacking attacks as demonstrated below.
Description / Vulnerability
This is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the top-level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
Recommendations
- Send the proper X-Frame-Options HTTP response headers that instruct the browser to not allow framing from other domains. - Employ defensive code in the UI to ensure that the current frame is the most top-level window.