Closed mortenhillbom closed 1 week ago
⏱️ Estimated effort to review [1-5] | 2 |
🧪 Relevant tests | No |
🔒 Security concerns |
- Clickjacking Vulnerability: Removing the `x-frame-options` header without implementing alternative protections can make the application vulnerable to clickjacking attacks. This should be addressed either by frontend controls or other server-side security headers. |
⚡ Key issues to review |
Possible Security Risk: Disabling the x-frame-options header can expose the application to clickjacking attacks. It's important to ensure that other measures are in place to mitigate this risk, especially if the application is embedded in third-party sites.
|
Category | Suggestion | Score |
Security |
Adjust the helmet configuration to selectively allow framing from trusted domains instead of disabling it entirely___ **Consider using a more specific configuration for thehelmet middleware instead of disabling xFrameOptions globally. This change might inadvertently lower the security by allowing your app to be embedded in a frame from any origin. If the intention is to allow specific origins, you can configure xFrameOptions to allow only those.**
[src/app.ts [22]](https://github.com/nhost/hasura-auth/pull/534/files#diff-841254fe75488c1bd4cd7f68f00b4be0e48dcfbc4a16b45847b68295e0e3b27bR22-R22)
```diff
-app.use(helmet({ xFrameOptions: false }), json());
+app.use(helmet({
+ xFrameOptions: { action: 'ALLOW-FROM', domain: 'https://example.com' }
+}), json());
```
- [ ] **Apply this suggestion**
Suggestion importance[1-10]: 9Why: The suggestion addresses a significant security concern by preventing the application from being embedded in a frame from any origin, which could lead to clickjacking attacks. It proposes a more secure configuration for the `helmet` middleware. | 9 |
@dbarrosop If preferred I guess it could be set like this instead? Keeping some secure defaults, but giving users the possibility to allow certain domains
app.use(
helmet({
xFrameOptions: {
action: 'ALLOW-FROM',
domain: ENV.AUTH_ACCESS_CONTROL_ALLOWED_REDIRECT_URLS,
},
}),
json()
);
If preferred I guess it could be set like this instead?
I will do a bit more of reading to confirm but I think it is fine to just disable it, this header is meant to protect you from clickjacking attacks but this is an API returning json or doing redirects, there is nothing to click.
Category | Suggestion | Score |
Security |
Modify the xFrameOptions setting to 'SAMEORIGIN' for enhanced security___ **Consider settingxFrameOptions to a specific policy rather than disabling it entirely to maintain some level of protection against clickjacking. For example, you can set it to 'SAMEORIGIN' to allow framing of the site only by pages in the same origin.** [src/app.ts [22]](https://github.com/nhost/hasura-auth/pull/534/files#diff-841254fe75488c1bd4cd7f68f00b4be0e48dcfbc4a16b45847b68295e0e3b27bR22-R22) ```diff -app.use(helmet({ xFrameOptions: false }), json()); +app.use(helmet({ xFrameOptions: 'SAMEORIGIN' }), json()); ``` - [ ] **Apply this suggestion** Suggestion importance[1-10]: 9Why: The suggestion improves security by setting `xFrameOptions` to 'SAMEORIGIN' instead of disabling it entirely, which helps protect against clickjacking attacks. | 9 |
thx for pointing us to the right place, I am closing this PR in favor of #535
User description
Disabling the x-frame-options header that is set to
sameorigin
by helmet as default. The header made it hard to embed applications using SSO. Instead, the responsibility of setting this header should be solely on the frontend on the application itself.Before submitting this PR:
Checklist
Breaking changes
Avoid breaking changes and regressions. If you feel it is unavoidable, make it explicit in your PR comment so we can review it and see how to handle it.
Tests
make test
or themake watch
command).Documentation
Please make sure the documentation is updated accordingly, in particular:
PR Type
Bug fix
Description
x-frame-options
header set by Helmet tosameorigin
.x-frame-options
header, allowing applications using SSO to embed without issues.Changes walkthrough 📝
app.ts
Disable default x-frame-options header in Helmet configuration
src/app.ts
x-frame-options
header set by Helmet.x-frame-options
header.