Skip to content

app-attack-fixes/clickjacking vulnerability #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aNebula merged 1 commit into from
May 5, 2025
Merged

app-attack-fixes/clickjacking vulnerability #28

aNebula merged 1 commit into from
May 5, 2025

Conversation

@atharv02-git
Copy link

@atharv02-git atharv02-git commented Apr 30, 2025
edited
Loading

Base Branch: app-attack-fixes

Note: Making a PR to doubtfire-deploy so that this can be merged asap, and HardHat leads can retest this fix.

Description

  • This PR addresses Clickjacking and potential XSS vulnerabilities by adding appropriate security headers to the proxy-nginx.conf file used in production. These headers are now enforced at the outer reverse proxy layer (doubtfire-deploy) to ensure consistent protection across all services.
  • The changes follow recommendations from the AppAttack x OnTrack vulnerability report and align with security best practices for modern web applications.

Note

Kindly go through the attached documentation first inorder to understand what this fix is about in detail and how it can be tested.

What was changed:

  • Modified: production/shared-files/proxy-nginx.conf

Fixes # (Clickjacking vulnerability (AppAttack finding))

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • This change requires a documentation update

How Has This Been Tested?

  • Used browser DevTools to inspect headers returned for application responses
  • Yet to test Clickjacking Prevention in a Malicious <Iframe> Setup as listed in the report.

Testing Checklist:

  • Tested in latest Chrome
  • Needs to be tested inside a dedicated environment like kali linux inside a virtual box.

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings

Note: This PR should be merged in sync with the corresponding PR in doubtfire-web where redundant headers are commented out to prevent override.

@atharv02-git atharv02-git deleted the app-attack-fixes/clickjacking-vulnerability branch April 30, 2025 03:12
@atharv02-git atharv02-git restored the app-attack-fixes/clickjacking-vulnerability branch April 30, 2025 03:12
@atharv02-git atharv02-git reopened this Apr 30, 2025
@atharv02-git atharv02-git changed the title Added security headers to prevent Click Jacking and XSS inside proxy-… app-attack-fixes/clickjacking vulnerability May 5, 2025
@aNebula aNebula merged commit d631afd into thoth-tech:app-attack-fixes May 5, 2025
@DarrylO21
Copy link

DarrylO21 commented May 9, 2025

Hi @atharv02-git, I have tested your fix for the clickjacking vulnerability on my end and can confirm that it has been resolved. The added security headers X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'none' are correctly set and effectively mitigate the issue. Nice work implementing these protections.

Best regards,
Darryl
PT and SCR Senior Lead, AppAttack

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aNebula aNebula aNebula approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@atharv02-git @DarrylO21 @aNebula