Basic web security

[rainit2006]

Solving Clickjacking

https://www.youtube.com/watch?v=Pdc5KJfOQpI

Defense for clickjacking

https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html There are three main mechanisms that can be used to defend against these attacks:

• Preventing the browser from loading the page in frame using the X-Frame-Options or Content Security Policy (frame-ancestors) HTTP headers.
• Preventing session cookies from being included when the page is loaded in a frame using the SameSite cookie attribute.
• Implementing JavaScript code in the page to attempt to prevent it being loaded in a frame (known as a "frame-buster").

CSP （Content-Security-Policy）

• Content-Security-Policy: frame-ancestors 'none'; This prevents any domain from framing the content. This setting is recommended unless a specific need has been identified for framing.
• Content-Security-Policy: frame-ancestors 'self'; This only allows the current site to frame the content.
• Content-Security-Policy: frame-ancestors 'self' *.somesite.com https://myfriend.site.com; This allows the current site, as well as any page on somesite.com (using any protocol), and only the page myfriend.site.com, using HTTPS only on the default port (443).

[rainit2006]

HTTP Security Response Headers Cheat Sheet

https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html Recommendation：

• X-Frame-Options: DENY
• X-XSS-Protection: 0
• X-Content-Type-Options: nosniff
• Referrer-Policy: strict-origin-when-cross-origin
• Content-Type: text/html; charset=UTF-8
• Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
• Set-Cookie： https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#cookies
• Content-Security-Policy (CSP)：https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html
• Cross-Origin-Embedder-Policy: require-corp
• Cross-Origin-Resource-Policy: same-site