Insecure or unset HTTP headers

Insecure or unset HTTP headers - X-Frame Options

Need

To prevent clickjacking attacks

Context

• Usage of Elixir (v1.12+) for building scalable and fault-tolerant applications

• Usage of Plug.Router for handling HTTP requests

Description

1. Non compliant code

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
  end...

The Elixir code sets the X-Frame-Options header to SAMEORIGIN. This header is deprecated and can be bypassed using several iframe layers, making it vulnerable to clickjacking attacks.

2. Steps

• Replace the X-Frame-Options header with the Content-Security-Policy header

• Set the frame-ancestors directive to 'self' to allow the page to be framed only by pages from the same origin

3. Secure code example

defmodule MyApp.Router do
  use Plug.Router

  plug :match
  plug :dispatch

  match _ do
  end...

The secure Elixir code sets the Content-Security-Policy header with the frame-ancestors 'self' directive, which is a more secure replacement for the X-Frame-Options header.

References

• 152. Insecure or unset HTTP headers - X-Frame Options

On this page