Clickjacking: CSP frame-ancestors missing
Description
Clickjacking is an attack technique where malicious actors trick users into clicking on hidden or disguised elements within a web page, potentially leading to unintended actions or information disclosure. This vulnerability exists because the server does not include the frame-ancestors directive in its Content-Security-Policy (CSP) header. Without this directive, the application can be embedded within iframes on malicious websites, enabling attackers to overlay transparent or opaque layers that deceive users into performing actions they did not intend.
Remediation
Implement the Content-Security-Policy header with the frame-ancestors directive to control which domains can embed your application in frames. Additionally, configure the legacy X-Frame-Options header for backward compatibility with older browsers.
Recommended Configuration:
To prevent all framing:
Content-Security-Policy: frame-ancestors 'none' X-Frame-Options: DENY
To allow framing only by the same origin:
Content-Security-Policy: frame-ancestors 'self' X-Frame-Options: SAMEORIGIN
To allow framing by specific trusted domains:
Content-Security-Policy: frame-ancestors 'self' https://trusted-domain.com X-Frame-Options: ALLOW-FROM https://trusted-domain.com
Implementation Examples:
Apache (.htaccess or httpd.conf):
Header always set Content-Security-Policy "frame-ancestors 'none'" Header always set X-Frame-Options "DENY"
Nginx (nginx.conf):
add_header Content-Security-Policy "frame-ancestors 'none'" always; add_header X-Frame-Options "DENY" always;
IIS (web.config):
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'none'" />
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>
</system.webServer>After implementation, verify the headers are present using browser developer tools or online security header checkers.