2016-05-31 22:00:59 +00:00
|
|
|
|
|
|
|
|
=== Clickjacking
|
|
|
|
|
|
|
|
|
|
With clickjacking, a malicious site loads the target site in a transparent iFrame overlaid on top of a set of dummy
|
|
|
|
|
buttons that are carefully constructed to be placed directly under important buttons on the target site.
|
|
|
|
|
When a user clicks a visible button, they are actually clicking a button (such as a "login" button) on the hidden page.
|
|
|
|
|
An attacker can steal a user's authentication credentials and access their resources.
|
|
|
|
|
|
2016-06-07 19:02:18 +00:00
|
|
|
By default, every response by {{book.project.name}} sets some specific browser headers that can prevent this from happening.
|
|
|
|
|
Specifically, it sets http://tools.ietf.org/html/rfc7034[X-FRAME_OPTIONS] and http://www.w3.org/TR/CSP/[Content-Security-Policy].
|
|
|
|
|
You should take a look at the definition of both of these headers as there is a lot of fine-grain browser access you can control.
|
2016-05-31 22:00:59 +00:00
|
|
|
In the admin console you can specify the values these headers will have. Go to the `Realm Settings` left menu item and
|
|
|
|
|
click the `Security Defenses` tab and make sure you are on the `Headers` sub-tab.
|
|
|
|
|
|
|
|
|
|
image:../../{{book.images}}/security-headers.png[]
|
|
|
|
|
|
|
|
|
|
By default, {{book.project.name}} only sets up a _same-origin_ policy for iframes.
|
|
|
|
|
|
