0
0 Comments

I want to defend my website against Clickjacking. I tried my best to prevent this with some references [1][2][3]. But for some reason even with DENY option I can iframe my website. Am I doing something wrong?

We are using the following Apache configuration 

/etc/apache2/conf-available/security.conf
:

ServerTokens Prod
ServerSignature Off
TraceEnable Off
Header always append X-Frame-Options DENY
Header always append X-Content-Type-Options: "nosniff"
Header always set X-XSS-Protection: "1; mode=block"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: https:; frame-ancestors 'self';"
Header always set Referrer-Policy "same-origin"
Header always set Permissions-Policy "geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();"
Header always edit Set-Cookie ^(.*)1;HttpOnly;Secure

<Directory /var/www/>
  Options -Indexes
</Directory>

I’m using the following test html file:

<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="description" content="X-Frame-Bypass: Web Component extending IFrame to bypass X-Frame-Options: deny/sameorigin">
    <title>X-Frame-Bypass Web Component Demo</title>
    <style>
        html, body {
            margin: 0;
            padding: 0;
            height: 100%;
            overflow: hidden;
        }
        iframe {
            display: block;
            width: calc(70% - 40px);
            height: calc(80% - 40px);
            margin: 20px;
        }
        img {
            position: absolute;
            top: 0;
            right: 0;
        }
    </style>
    <script src="https://unpkg.com/@ungap/custom-elements-builtin"></script>
    <script src="https://unpkg.com/x-frame-bypass" type="module"></script>
</head>
<body>
    <h1>x-frame-bypass in your site</h1>
    <iframe is="x-frame-bypass" src="https:/:example.com/"></iframe>
</body>
</html>

If I check the headers with curl I see this:

curl -I https://example.com

HTTP/2 302
date: Thu, 13 May 2021 20:20:17 GMT
content-type: text/html; charset=UTF-8
location: https://example.com
cf-ray: xxxxxx
access-control-allow-origin: *
cache-control: no-store, no-cache, must-revalidate
expires: Thu, 19 Nov 1981 08:52:00 GMT
set-cookie: SESSID8d82=xxxxxx; path=/; secure; HttpOnly;HttpOnly;Secure
strict-transport-security: max-age=15552000; includeSubDomains
cf-cache-status: BYPASS
cf-apo-via: origin,host
cf-request-id: xxxxxxx
content-security-policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' data: https:; frame-ancestors 'self';
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
permissions-policy: geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=();
pragma: no-cache
referrer-policy: same-origin
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
report-to: {"endpoints":[{"url":"https://a.nel.cloudflare.com/report?s=xxxxxx"}],"group":"cf-nel","max_age":604800}
nel: {"report_to":"cf-nel","max_age":604800}
server: cloudflare

p.s.: We are using Cloudflare

Reference

  1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
  2. https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
  3. https://www.keycdn.com/blog/x-frame-options
Anonymous Asked question May 14, 2021