search

scorelab / Stackle

Stackle is an web communication portal aimed at providing Open Source organizations a platform to have discussions on their github projects and their issues. It provides Github intergration which allows adminstrator of an organization to create a forum thread for the particualr organization. Users signing in is able to view forums of the organizations they contribute to and engage in the forum discussions.
Apache License 2.0
104 stars 146 forks source link

X-Frame-Options Header Not Set On Stackle App #191

Open thishnika opened 3 years ago

thishnika commented 3 years ago

Fixes CWE-16, CWE-601 & WASC-15 vulnerabilities on Stackle-app

Changes proposed in the pull request

In the HTTP response header of the Stackle application, set X-Frame-Options parameter as below.

X-Frame-Options: DENY

Impact

The page cannot be displayed in a frame, regardless of the site attempting to do so.

Other information

References

  1. https://owasp.org/www-community/attacks/Clickjacking
  2. https://cwe.mitre.org/data/definitions/16.html
  3. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
  4. https://www.imperva.com/learn/application-security/clickjacking/#:~:text=Clickjacking%20is%20an%20attack%20that,or%20disguised%20as%20another%20element.&text=Typically%2C%20clickjacking%20is%20performed%20by,the%20page%20the%20user%20sees.
  5. https://javascript.info/clickjacking