JavaScript

JavaScript

Made by DeepSource

Unsafe content security policy JS-D024

Security
Critical
a05 owasp top 10 cwe-451

Developers often overlook implementing a robust content security policy (CSP), leaving web applications vulnerable to clickjacking attacks that can compromise user privacy and security.

Clickjacking attacks occur when malicious actors deceive users into clicking on elements of a legitimate website, leading them to unintended actions or disclosing sensitive information. Attackers achieve this by embedding the target website within an invisible iframe on their own site and overlaying it with deceptive content. To mitigate the risk of clickjacking attacks, it's imperative to implement a robust CSP with the 'frame-ancestors' directive, which specifies the origins from which the browser can load frames. This directive effectively prevents unauthorized sites from embedding the web application within iframes, thereby safeguarding against clickjacking attacks.

Bad Practice

const express = require('express')
const helmet = require('helmet')

let app = express()

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      // other directives
      "frame-ancestors": ["'none'"] // Sensitive: frame-ancestors is set to 'none'
    }
  })
)

// OR

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      // other directives
      frameAncestors: ["'none'"] // Sensitive: frameAncestors is set to 'none'
    }
  })
)
const express = require('express')
const helmet = require('helmet')

let app = express()
app.use(
  helmet({
    contentSecurityPolicy: false // sensitive
  })
)

Recommended

const express = require('express')
const helmet = require('helmet')

let app = express()

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      // other directives
      "frame-ancestors": ["'example.com'"]
    }
  })
)

// OR

app.use(
  helmet.contentSecurityPolicy({
    directives: {
      // other directives
      frameAncestors: ["'example.com'"]
    }
  })
)
const express = require('express')
const helmet = require('helmet')

let app = express()
app.use(helmet.contentSecurityPolicy())

References