Insecure or unset HTTP headers - X-Frame Options - Scala

Insecure or unset HTTP headers - X-Frame Options - Scala

Need

Implementation of secure and properly configured HTTP headers

Context

  • Usage of Scala 2.12 for building scalable and high-performance applications
  • Usage of play.api.mvc for handling HTTP requests and responses in Play Framework

Description

Non compliant code

        import play.api.mvc._

class ApplicationController extends Controller {
  def index = Action { implicit request =>
    Ok(views.html.index("Your new application is ready.")).withHeaders(
      "X-Frame-Options" -> "SAMEORIGIN"
    )
  }
}
        
        

The above code snippet is an example of a controller in a Play framework application. In the index action, it responds with an Ok status and renders an HTML view. Along with this response, it sets the HTTP header X-Frame-Options to SAMEORIGIN.

The X-Frame-Options header is a security measure that can be used to indicate whether or not a browser should be allowed to render a page in a , </code>, <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;"><embed></code> or <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;"><object></code> . The <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">SAMEORIGIN</code> directive means that the page can only be displayed in a frame on the same origin as the page itself.<br><br>However, the <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">X-Frame-Options</code> header is considered deprecated and its protection can be bypassed using several iframe layers. This vulnerability can lead to clickjacking attacks where an attacker tricks a user into clicking a concealed link.<br><br>In the context of this code, the application uses the <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">X-Frame-Options</code> header as the only protection mechanism against clickjacking, which makes it vulnerable to such attacks.</p> <h3>Steps</h3> <ul> <li>Replace the use of X-Frame-Options header with Content-Security-Policy header.</li> <li>Set the Content-Security-Policy header to include the 'frame-ancestors' directive with the 'self' value.</li> <li>Ensure that the Content-Security-Policy header is set on all server responses.</li> <li>Test the application to verify that the clickjacking vulnerability is fixed.</li> </ul> <h3>Compliant code</h3> <div style="box-sizing: border-box; background-color: #f6f8fa; padding: 16px; border-radius: 6px; overflow: auto; margin-top: 0px; margin-bottom: 16px;"> <pre style="box-sizing: border-box; margin: 0; padding: 0; background-color: inherit;"> <code style="box-sizing: border-box; background-color: inherit; border: none; font: inherit; float: left; min-width: 100%;" >import play.api.mvc._ class ApplicationController extends Controller { def index = Action { implicit request => Ok(views.html.index("Your new application is ready.")).withHeaders( "Content-Security-Policy" -> "frame-ancestors 'self'" ) } } </code> </pre> </div> <p>The previous code was vulnerable to clickjacking attacks because it was using the deprecated <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">X-Frame-Options</code> header as the only protection mechanism. This header can be bypassed using several iframe layers, making it an insecure method of protection.<br><br>The updated code replaces the <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">X-Frame-Options</code> header with the <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">Content-Security-Policy</code> header. This header is more secure and is currently recommended for protection against clickjacking attacks.<br><br>The <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">Content-Security-Policy</code> header is set to include the <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">frame-ancestors</code> directive with the <code style="background-color: #f6f8fa; padding: 2px 4px; border-radius: 4px;">'self'</code> value. This means that the application will only allow iframes from the same origin to embed its pages, effectively preventing clickjacking attacks.<br><br>This change should be applied to all server responses to ensure consistent protection across the application.<br><br>After applying this change, it's recommended to test the application to verify that the clickjacking vulnerability is fixed. This can be done by trying to embed the application's pages in an iframe from a different origin and verifying that the browser blocks the attempt.</p> <h2>References</h2> <ul> <li><a href="criteria-vulnerabilities-152">152. Insecure or unset HTTP headers - X-Frame Options</a></li> </ul>