search

ethereum / staking-launchpad

The deposit launchpad for staking on Ethereum 🦏
Creative Commons Zero v1.0 Universal
274 stars 191 forks source link

Launchpad HTTP headers security improvement #432

Open Aldekein opened 2 years ago

Aldekein commented 2 years ago

Some HTTP headers required for security are not set on https://launchpad.ethereum.org/ With a carefully crafted combination of stylesheets, iframes, and text boxes on a phishing webpage, a user can be led to believe they are interacting with a real launchpad website, but are instead typing into an invisible frame controlled by the attacker.

Proposed fix

As described in greater detail in OWASP project (https://owasp.org/www-project-secure-headers/) the website security will benefit from instructing browser by adding following headers to responses at https://launchpad.ethereum.org/:

X-Frame-Options:  SAMEORIGIN
Content-Security-Policy: frame-ancestors 'none'
X-Content-Type-Options: nosniff
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: origin-when-cross-origin
X-XSS-Protection: 0
Strict-Transport-Security: max-age=15768000;includeSubdomains

Additional notes:

  1. The proposed Content-Security-Policy header is a minimal required version, it may benefit from more precise tuning based on specifics of Launchpad.
  2. Strict-Transport-Security header is already present, but it does not include includeSubdomains flag.
Aldekein commented 2 years ago

@hwwhww @CarlBeek could you help with this or point me to a person who can?

CarlBeek commented 2 years ago

Thanks for bringing this to my attention and I apologies for the delayed response. I have raised this issue with devops internally so we should get this sorted ASAP.

samajammin commented 2 years ago

Not sure if this would fix all issues but here's the Netlify configuration we did for HTTP response headers on ethereum.org: https://github.com/ethereum/ethereum-org-website/pull/744