logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure or unset HTTP headers - X-Frame Options - Elixir

Need

To prevent clickjacking attacks

Context

  1. Usage of Elixir (v1.12+) for building scalable and fault-tolerant applications
  2. Usage of Plug.Router for handling HTTP requests

Description

Insecure Code Example

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
    send_resp(conn, 200, "Hello, world!")
  end

  defp put_headers(conn) do
    put_resp_header(conn, "x-frame-options", "SAMEORIGIN")
  end
end

The Elixir code sets the X-Frame-Options header to SAMEORIGIN. This header is deprecated and can be bypassed using several iframe layers, making it vulnerable to clickjacking attacks.

Steps

  1. Replace the X-Frame-Options header with the Content-Security-Policy header
  2. Set the frame-ancestors directive to 'self' to allow the page to be framed only by pages from the same origin

Secure Code Example

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
    send_resp(conn, 200, "Hello, world!")
  end

  defp put_headers(conn) do
    put_resp_header(conn, "content-security-policy", "frame-ancestors 'self'")
  end
end

The secure Elixir code sets the Content-Security-Policy header with the frame-ancestors 'self' directive, which is a more secure replacement for the X-Frame-Options header.

References

  • 152 - Insecure or unset HTTP headers - X-Frame Options

    • Last updated

    2023/09/18