Insecure or unset HTTP headers - X-Frame Options

Need

To prevent clickjacking attacks

Context

Usage of Elixir (v1.12+) for building scalable and fault-tolerant applications
Usage of Plug.Router for handling HTTP requests

Description

Non compliant code

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
    send_resp(conn, 200, "Hello, world!")
  end

  defp put_headers(conn) do
    put_resp_header(conn, "x-frame-options", "SAMEORIGIN")
  end
end

The Elixir code sets the X-Frame-Options header to SAMEORIGIN. This header is deprecated and can be bypassed using several iframe layers, making it vulnerable to clickjacking attacks.

Steps

Replace the X-Frame-Options header with the Content-Security-Policy header
Set the frame-ancestors directive to 'self' to allow the page to be framed only by pages from the same origin

Compliant code

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
    send_resp(conn, 200, "Hello, world!")
  end

  defp put_headers(conn) do
    put_resp_header(conn, "content-security-policy", "frame-ancestors 'self'")
  end
end

The secure Elixir code sets the Content-Security-Policy header with the frame-ancestors 'self' directive, which is a more secure replacement for the X-Frame-Options header.

References

152.Insecure or unset HTTP headers - X-Frame Options

Need​

Context​

Description​

Non compliant code​

Steps​

Compliant code​

References​