Qualys reported a medium level security risk w/ doorway prod. This is the info:
The problem:
The web page can be framed. This means that clickjacking attacks against users are possible.
Note: Only 10 pages are reported for this QID similar to 150245 Missing header: X-Frame-Options
Impact
Description
With clickjacking, an attacker can trick a victim user into clicking an invisible frame on the web page, thereby causing the victim to take an action they did not intend to take.
Solution
Description
Clickjacking prevention mechanisms include:
X-Frame-Options: This HTTP response header can be used to prevent framing of web pages.
Content-Security-Policy: The 'frame-ancestors' directive can be used to prevent framing of web pages.
Explore one of the options above to prevent framing on doorway
Implement the fix
QA Notes:
This will be handled by Eng (specifically @ColinBuyck) testing directly on localhost is proving to be difficult so this QA is a central part of the work for this issue.
Description from Glenn:
Qualys reported a medium level security risk w/ doorway prod. This is the info: The problem: The web page can be framed. This means that clickjacking attacks against users are possible. Note: Only 10 pages are reported for this QID similar to 150245 Missing header: X-Frame-Options Impact Description With clickjacking, an attacker can trick a victim user into clicking an invisible frame on the web page, thereby causing the victim to take an action they did not intend to take. Solution Description Clickjacking prevention mechanisms include:
Exygy next steps:
QA Notes: This will be handled by Eng (specifically @ColinBuyck) testing directly on localhost is proving to be difficult so this QA is a central part of the work for this issue.