Insecure or unset HTTP headers - X-Frame Options - Ruby

Insecure or unset HTTP headers - X-Frame Options - Ruby

Need

Implementation of secure and properly configured HTTP headers

Context

  • Usage of Ruby 2.0+ for developing Ruby applications
  • Usage of Rails for building web applications in Ruby

Description

Non compliant code

        # app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  after_action :set_headers

  private

  def set_headers
    response.headers["X-Frame-Options"] = "SAMEORIGIN"
  end
end

In the above code, the application sets the X-Frame-Options HTTP header to SAMEORIGIN in every response from the server. This is done in the ApplicationController, which is the superclass of all other controllers in a Rails application. The after_action callback is used to ensure that the set_headers method is called after every action in every controller.

The X-Frame-Options HTTP header is a security measure that prevents the browser from displaying the contents of a web page in a , </code>, <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;"><embed></code>, or <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;"><object></code> HTML element, unless the web page belongs to the same origin as the web page that includes the HTML element. This is intended to provide some protection against 'clickjacking' attacks.<br><br>However, the <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">X-Frame-Options</code> header is considered deprecated because its protection can be bypassed using several iframe layers. Therefore, relying on this header as the only protection mechanism against clickjacking is a security vulnerability. <br><br>A more robust solution would be to use the <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">Content-Security-Policy</code> header with the <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">frame-ancestors</code> directive, which provides a more powerful and flexible way to control which web pages can be displayed in frames. <br><br>In addition, it is also recommended to use other security measures, such as ensuring that all user input is properly validated and sanitized, using anti-CSRF tokens, and implementing proper session management.</p> <h3>Steps</h3> <ul> <li>Replace the use of X-Frame-Options header with Content-Security-Policy header.</li> <li>Set the Content-Security-Policy header to include 'frame-ancestors' directive with the 'self' value.</li> <li>Ensure that the 'frame-ancestors' directive does not allow any other domains to frame the application.</li> <li>Consider implementing additional security measures to prevent clickjacking attacks.</li> </ul> <h3>Compliant code</h3> <div style="box-sizing: border-box; background-color: #f6f8fa; padding: 16px; border-radius: 6px; overflow: auto; margin-top: 0px; margin-bottom: 16px;"> <pre style="box-sizing: border-box; margin: 0; padding: 0; background-color: inherit;"> <code style="box-sizing: border-box; background-color: inherit; border: none; font: inherit; float: left; min-width: 100%;" ># app/controllers/application_controller.rb class ApplicationController < ActionController::Base after_action :set_headers private def set_headers response.headers["Content-Security-Policy"] = "frame-ancestors 'self'" end end </code> </pre> </div> <p>The updated code replaces the deprecated <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">X-Frame-Options</code> header with the <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">Content-Security-Policy</code> header. The <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">Content-Security-Policy</code> header is a more modern and flexible solution for controlling content loading and preventing attacks such as clickjacking.<br><br>The <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">frame-ancestors 'self'</code> directive is used to specify that only the same origin can embed the application in a frame. This means that no other domains can frame your application, providing a stronger protection against clickjacking attacks.<br><br>This change is a part of a broader strategy to enhance the security of your application. It's recommended to implement additional security measures, such as regularly updating and patching your software, using secure coding practices, and educating your users about the risks of clickjacking and other attacks.</p> <h2>References</h2> <ul> <li><a href="criteria-vulnerabilities-152">152. Insecure or unset HTTP headers - X-Frame Options</a></li> </ul>