Security: Use clickjack protection #14
Assignees
Labels
bug
Something isn't working
enhancement
New feature or request
help wanted
Extra attention is needed
Comments
delisma
added
bug
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Protect against clickjacking attacks by restricting how our pages can be embedded within iframes. Clickjacking attacks involve an attacker displaying our pages within an iframe on a site they control. For example, an attacker could overlay a UI layer over an iframe to trick visitors into triggering actions on our page as well overlaying form fields to steal data. Clickjacking has been used to exploit users into sharing links on social networks, clicking ads and stealing passwords. Protection against these attacks using the X-Frame-Options response header to restrict which hosts are allowed to embed our pages.
To Reproduce
X-Frame-Options: None
Expected behavior
The possible options are:
For example, X-Frame-Options: DENY will block all iframe usage. You should use a setting that's as restrictive as possible.
The text was updated successfully, but these errors were encountered: