summaryrefslogtreecommitdiff
path: root/puppet/modules/site_apache
diff options
context:
space:
mode:
authorMicah Anderson <micah@leap.se>2013-08-20 20:53:58 -0400
committerMicah Anderson <micah@leap.se>2013-08-21 12:26:24 -0400
commit538fe40239c59c186099fa7e1a026969fba4ae36 (patch)
tree449cae291fb18af6ac174b6675b82d5f1988d790 /puppet/modules/site_apache
parente3a1c5d0c8f644bc0956758a8832d2f586556cf6 (diff)
Set apache header X-Frame-Options: "DENY"
The LEAP web application can be displayed inside other pages using an HTML iframe. Therefore, an attacker can embed parts of the LEAP application inside of a webpage they control. They can then use special style properties to disguise the embedded page. By tricking a user in to clicking in the iframe, the attacker can coerce the user in to performing unintended actions within the LEAP web application. An attacker creates a website that embeds the LEAP web application in an iframe. They then create an HTML /JavaScript game on the same page that involves clicking and dragging sprites. When a user plays the game, they are in fact dragging new text values in to the ‘‘Change Password’’ form in the LEAP web app, which is hidden behind the game using As long as iframe embedding is not required in the normal usage of the application, the X-Frame-Options header should be added to prevent browsers from displaying the web application in frames on other origins. This has also been set in the webapp Change-Id: I9e26ae32de4b7b6a327196838d0fa410648f107d
Diffstat (limited to 'puppet/modules/site_apache')
-rw-r--r--puppet/modules/site_apache/files/conf.d/security5
1 files changed, 5 insertions, 0 deletions
diff --git a/puppet/modules/site_apache/files/conf.d/security b/puppet/modules/site_apache/files/conf.d/security
index 11159f48..a5ae5bdc 100644
--- a/puppet/modules/site_apache/files/conf.d/security
+++ b/puppet/modules/site_apache/files/conf.d/security
@@ -48,3 +48,8 @@ ServerSignature Off
#TraceEnable Off
TraceEnable On
+# Setting this header will prevent other sites from embedding pages from this
+# site as frames. This defends against clickjacking attacks.
+# Requires mod_headers to be enabled.
+#
+Header set X-Frame-Options: "DENY"