Unsafe content security policy JS-D024
Developers often overlook implementing a robust content security policy (CSP), leaving web applications vulnerable to clickjacking attacks that can compromise user privacy and security.
Clickjacking attacks occur when malicious actors deceive users into clicking on elements of a legitimate website, leading them to unintended actions or disclosing sensitive information. Attackers achieve this by embedding the target website within an invisible iframe on their own site and overlaying it with deceptive content. To mitigate the risk of clickjacking attacks, it's imperative to implement a robust CSP with the 'frame-ancestors' directive, which specifies the origins from which the browser can load frames. This directive effectively prevents unauthorized sites from embedding the web application within iframes, thereby safeguarding against clickjacking attacks.
Bad Practice
const express = require('express')
const helmet = require('helmet')
let app = express()
app.use(
helmet.contentSecurityPolicy({
directives: {
// other directives
"frame-ancestors": ["'none'"] // Sensitive: frame-ancestors is set to 'none'
}
})
)
// OR
app.use(
helmet.contentSecurityPolicy({
directives: {
// other directives
frameAncestors: ["'none'"] // Sensitive: frameAncestors is set to 'none'
}
})
)
const express = require('express')
const helmet = require('helmet')
let app = express()
app.use(
helmet({
contentSecurityPolicy: false // sensitive
})
)
Recommended
const express = require('express')
const helmet = require('helmet')
let app = express()
app.use(
helmet.contentSecurityPolicy({
directives: {
// other directives
"frame-ancestors": ["'example.com'"]
}
})
)
// OR
app.use(
helmet.contentSecurityPolicy({
directives: {
// other directives
frameAncestors: ["'example.com'"]
}
})
)
const express = require('express')
const helmet = require('helmet')
let app = express()
app.use(helmet.contentSecurityPolicy())