Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

X-Frame-Options Header Not Set On Stackle App #191

Open
wants to merge 332 commits into
base: swagger-integration
Choose a base branch
from
Open

X-Frame-Options Header Not Set On Stackle App #191

wants to merge 332 commits into from

Conversation

thishnika
Copy link

@thishnika thishnika commented May 26, 2021
edited
Loading

Fixes CWE-16, CWE-601 & WASC-15 vulnerabilities on Stackle-app

Changes proposed in the pull request

In the HTTP response header of the Stackle application, set X-Frame-Options parameter as below.

X-Frame-Options: DENY

Impact

The page cannot be displayed in a frame, regardless of the site attempting to do so.

Other information

References

  1. https://owasp.org/www-community/attacks/Clickjacking
  2. https://cwe.mitre.org/data/definitions/16.html
  3. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
  4. https://www.imperva.com/learn/application-security/clickjacking/#:~:text=Clickjacking%20is%20an%20attack%20that,or%20disguised%20as%20another%20element.&text=Typically%2C%20clickjacking%20is%20performed%20by,the%20page%20the%20user%20sees.
  5. https://javascript.info/clickjacking

tharindupr and others added 30 commits February 14, 2018 10:26
@tharindupr
Merge pull request #48 from SidDevelop/patch-2
134cd8f 
Updated for elaboration
@tharindupr
Merge pull request #49 from iammosespaulr/master
1c6cd48 
UI TESTING FRAMEWORK
@tharindupr
Merge pull request #53 from Kalyan3578/patch-1
11b2ce5 
Official chatroom badge added
@tharindupr
Merge pull request #55 from kmehant/master
6bde226 
Update Dockerfile and correct error
@tharindupr
Merge pull request #61 from Kalyan3578/patch-2
3c18961 
Create issue_template.md
@varunzxzx
remove env from git
fc8d4c5
@varunzxzx
seperating app and server
74e284b
@varunzxzx
improve code quality
ec91da6
@tharindupr
Merge pull request #73 from varunzxzx/remove-env
9179fdf 
Separate app and server for fast testing execution and getting coverage metrics of the code
@varunzxzx
error handling
8f0ba9e
@bhavyaagg
Remove unused variables from server.js and properly indent and format…
26b58b8 
… code in server.js

Signed-off-by: Bhavya Aggarwal <[email protected]>
@bhavyaagg
Update PR to improve Codacy Report
f884626 
Signed-off-by: Bhavya Aggarwal <[email protected]>
@bhavyaagg
Change var to const in server.js and www.js
84a2a83 
Signed-off-by: Bhavya Aggarwal <[email protected]>
@bhavyaagg
Update routes.js to use const/let instead of var
9bf3acb 
Signed-off-by: Bhavya Aggarwal <[email protected]>
@bhavyaagg
Fix typos in issue_template
6c65787 
Signed-off-by: Bhavya Aggarwal <[email protected]>
@bhavyaagg
Add status codes to the response
b66a5d3 
Signed-off-by: Bhavya Aggarwal <[email protected]>
@bhavyaagg
Update routes.js to send a response for every request
f81ec63 
Signed-off-by: Bhavya Aggarwal <[email protected]>
@bhavyaagg
Update PR to improve Codacy Report
5b9efad 
Signed-off-by: Bhavya Aggarwal <[email protected]>
@bhavyaagg
Update PR to improve Codacy Report-2
a1711e8 
Signed-off-by: Bhavya Aggarwal <[email protected]>
@bhavyaagg
Update PR to improve Codacy Report
80b8ff9 
Signed-off-by: Bhavya Aggarwal <[email protected]>
@bhavyaagg
Update PR to improve Codacy Report
94152e3 
Signed-off-by: Bhavya Aggarwal <[email protected]>
@bhavyaagg
Update PR to improve Codacy Report-2
2fefd58 
Signed-off-by: Bhavya Aggarwal <[email protected]>
@bhavyaagg
Update PR to use 4 indents only
95309e8 
Signed-off-by: Bhavya Aggarwal <[email protected]>
@nandunbandara
fixed session issue
f559b63
@psnmissaka
create post related component creation and few changes in the auth se…
badb040 
…rvices
@nandunbandara
isAuthenticated function implementation moved before the call
5660817
@psnmissaka
Merge pull request #72 from ntbandara3/master
168b68b 
Fixed views issue
@agentmilindu
Merge pull request #68 from iammosespaulr/patch-6
561d9b8 
Update Year
@agentmilindu
Merge pull request #81 from bhavyaagg/fix-typo-issue-template
9bdcafd 
Fix typos in issue_template
@psnmissaka
Merge pull request #77 from bhavyaagg/remove-unused-variables
0026516 
Properly indent, format and remove unused variables from server.js
nandunbandara and others added 29 commits August 13, 2018 20:42
@nandunbandara
User avatar and user setting on creating a post
e842cd9
@nandunbandara
Fixed issue with loading stacks. Endpoint changed.
dd9ab87
@nandunbandara
Implementation to load github app access in the same window.
e70ce59
@nandunbandara
Fixed issue in profile
6fc599f
@nandunbandara
Subscribed orgs in create post view
d630138
@nandunbandara
View posts by org implemented
9fa4da1
@nandunbandara
Navigate to subscribed stack implemented
82ec86d
@nandunbandara
Post view formatting
7f51f0b
@nandunbandara
Navigation to post fixed in org view
b6023c0
@nandunbandara
Fixed issue in profile retrieval
e8ee81c
@psnmissaka
Merge pull request #139 from shivamarora96/master
f8977f4 
Beautifying Code
@nandunbandara
Fixed issues in code
def2265
ui fixes
95a70a2
profile avatar
03f9c57
@psnmissaka
Merge pull request #140 from ntbandara3/angular2-stacks
fc33c23 
Stacks Functionality Implementation
fixed conflicts
015eb34
@psnmissaka
Merge pull request #144 from VibhorCodecianGupta/ui
0d80976 
UI improvements
@psnmissaka
Removes old front-end app directory written with AngularJS
cb38450
@psnmissaka
Updates setup instructions
43a4c95
@psnmissaka
Adds a temporary pull request template
3e17d36
@psnmissaka
Merge pull request #145 from scorelab/dev
c413f67 
Minor updates to master
@digitaldina
Update README.md
56bf43a
@digitaldina
Add mongoDB installation instructions for linux
b69b3ab
@digitaldina
Add terminal commands to mentioned distros
deb1aef
@kartikpandey2
fix #153, fix #154
43531a7
@shivamarora96
Merge pull request #155 from kartikpandey2/master
5d94a7e 
fix #154
@psnmissaka
Merge pull request #152 from dinaelhanan/master
3205228 
Include linux instructions for installing MongoDB
@kmehant
Added restart capability to database
95be979
@psnmissaka
Merge pull request #166 from kmehant/patch-1
d119391 
Added restart capability to database
@thishnika thishnika changed the title X-Frame-Options Header Not Set X-Frame-Options Header Not Set On Stackle App May 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.