You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Disabling the x-frame-options header that is set to sameorigin by helmet as default.
The header made it hard to embed applications using SSO. Instead, the responsibility of setting this header should be solely on the frontend on the application itself.
Before submitting this PR:
Checklist
No breaking changes
Tests pass
New features have new tests
Documentation is updated
Breaking changes
Avoid breaking changes and regressions. If you feel it is unavoidable, make it explicit in your PR comment so we can review it and see how to handle it.
Tests
please make sure your changes pass the current tests (Use the make test or the make watch command).
if you are introducing a new feature, please write as much tests as possible.
Documentation
Please make sure the documentation is updated accordingly, in particular:
- Clickjacking Vulnerability: Removing the `x-frame-options` header without implementing alternative protections can make the application vulnerable to clickjacking attacks. This should be addressed either by frontend controls or other server-side security headers.
⚡ Key issues to review
Possible Security Risk: Disabling the x-frame-options header can expose the application to clickjacking attacks. It's important to ensure that other measures are in place to mitigate this risk, especially if the application is embedded in third-party sites.
Adjust the helmet configuration to selectively allow framing from trusted domains instead of disabling it entirely
Consider using a more specific configuration for the helmet middleware instead of disabling xFrameOptions globally. This change might inadvertently lower the security by allowing your app to be embedded in a frame from any origin. If the intention is to allow specific origins, you can configure xFrameOptions to allow only those.
Why: The suggestion addresses a significant security concern by preventing the application from being embedded in a frame from any origin, which could lead to clickjacking attacks. It proposes a more secure configuration for the helmet middleware.
@dbarrosop If preferred I guess it could be set like this instead?
Keeping some secure defaults, but giving users the possibility to allow certain domains
If preferred I guess it could be set like this instead?
I will do a bit more of reading to confirm but I think it is fine to just disable it, this header is meant to protect you from clickjacking attacks but this is an API returning json or doing redirects, there is nothing to click.
Modify the xFrameOptions setting to 'SAMEORIGIN' for enhanced security
Consider setting xFrameOptions to a specific policy rather than disabling it entirely to maintain some level of protection against clickjacking. For example, you can set it to 'SAMEORIGIN' to allow framing of the site only by pages in the same origin.
Why: The suggestion improves security by setting xFrameOptions to 'SAMEORIGIN' instead of disabling it entirely, which helps protect against clickjacking attacks.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Disabling the x-frame-options header that is set to
sameorigin
by helmet as default.The header made it hard to embed applications using SSO. Instead, the responsibility of setting this header should be solely on the frontend on the application itself.
Before submitting this PR:
Checklist
Breaking changes
Avoid breaking changes and regressions. If you feel it is unavoidable, make it explicit in your PR comment so we can review it and see how to handle it.
Tests
make test
or themake watch
command).Documentation
Please make sure the documentation is updated accordingly, in particular:
PR Type
Bug fix
Description
x-frame-options
header set by Helmet tosameorigin
.x-frame-options
header, allowing applications using SSO to embed without issues.Changes walkthrough 📝
app.ts
Disable default x-frame-options header in Helmet configuration
src/app.ts
x-frame-options
header set by Helmet.x-frame-options
header.