Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies - Ruby

Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies - Ruby

Need

Secure and properly set HTTP headers - X-Permitted-Cross-Domain-Policies

Context

  • Usage of Ruby for building dynamic and object-oriented applications
  • Usage of ActionController for handling and managing actions in a Ruby on Rails application

Description

Non compliant code

        # app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  # ...
end
        
        

In the above code, the ApplicationController is the superclass of all controllers in a Rails application. This controller doesn't set the X-Permitted-Cross-Domain-Policies HTTP header. This header is used to control which cross-domain policies are permitted. Without this header, or if it is set to an insecure value, the application might be exposed to certain cross-domain attacks. This is because it allows any domain to interact with the application, which can lead to data leakage or other security issues.

Steps

  • Add the X-Permitted-Cross-Domain-Policies header to the application.
  • Set the value of the header to 'none' to disable cross-domain policies.
  • Ensure that the header is set for all responses in the application.
  • Test the application to verify that the header is correctly set.

Compliant code

        # app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  before_action :set_headers

  private

  def set_headers
    response.headers['X-Permitted-Cross-Domain-Policies'] = 'none'
  end
  # ...
end
        
        

The above code fixes the vulnerability by setting the X-Permitted-Cross-Domain-Policies header to 'none' for all responses from the application. This is done using a before_action callback in the ApplicationController, which ensures that the header is set before any action in any controller in the application.

The set_headers method is defined as a private method to prevent it from being called as an action. This method sets the X-Permitted-Cross-Domain-Policies header in the response to 'none', which effectively disables any cross-domain policies.

This fix ensures that the application is not vulnerable to attacks that exploit insecure or unset X-Permitted-Cross-Domain-Policies headers. After implementing this fix, it's important to test the application to verify that the header is correctly set for all responses.

References