Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review applications for X-Frame-Options header #230

Open
sandbergja opened this issue Aug 15, 2024 · 0 comments
Open

Review applications for X-Frame-Options header #230

sandbergja opened this issue Aug 15, 2024 · 0 comments
Milestone
DACS Security and...

Comments

@sandbergja
Copy link
Member

sandbergja commented Aug 15, 2024
edited
Loading

Priority of this ticket

We should do https://github.com/PrincetonUniversityLibrary/security/issues/69 first, since it would provide many of these protections. This would potentially add protections for additional browsers that don't support CSP, which we may or may not need to support.

What maintenance needs to be done

Check our applications to see if they respond with an X-Frame-Options header. For any applications that don't have this protection, determine if the application will ever need to be embedded in an iframe. If not, write a ticket to start responding with clickjacking security headers.

Note that Rails 5 and above defaults to sending 'X-Frame-Options' => 'SAMEORIGIN'

Further reading
@sandbergja sandbergja changed the title Review applications for X-Frame-Options header and other clickjacking prevention Review applications for X-Frame-Options header Sep 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
DACS Security and Monitoring Work Cycle
Development

No branches or pull requests
1 participant
@sandbergja