Insecure or unset HTTP headers - X-Frame Options - Elixir

Insecure or unset HTTP headers - X-Frame Options - Elixir

Need

To prevent clickjacking attacks

Context

  • Usage of Elixir (v1.12+) for building scalable and fault-tolerant applications
  • Usage of Plug.Router for handling HTTP requests

Description

Non compliant code

        defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
    send_resp(conn, 200, "Hello, world!")
  end

  defp put_headers(conn) do
    put_resp_header(conn, "x-frame-options", "SAMEORIGIN")
  end
end

The Elixir code sets the X-Frame-Options header to SAMEORIGIN. This header is deprecated and can be bypassed using several iframe layers, making it vulnerable to clickjacking attacks.

Steps

  • Replace the X-Frame-Options header with the Content-Security-Policy header
  • Set the frame-ancestors directive to 'self' to allow the page to be framed only by pages from the same origin

Compliant code

        defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
    send_resp(conn, 200, "Hello, world!")
  end

  defp put_headers(conn) do
    put_resp_header(conn, "content-security-policy", "frame-ancestors 'self'")
  end
end

The secure Elixir code sets the Content-Security-Policy header with the frame-ancestors 'self' directive, which is a more secure replacement for the X-Frame-Options header.

References