logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies - Ruby

Need

Secure and properly set HTTP headers - X-Permitted-Cross-Domain-Policies

Context

  1. Usage of Ruby for building dynamic and object-oriented applications
  2. Usage of ActionController for handling and managing actions in a Ruby on Rails application

Description

Insecure Code Example

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  # ...
end

In the above code, the `ApplicationController` is the superclass of all controllers in a Rails application. This controller doesn't set the `X-Permitted-Cross-Domain-Policies` HTTP header. This header is used to control which cross-domain policies are permitted. Without this header, or if it is set to an insecure value, the application might be exposed to certain cross-domain attacks. This is because it allows any domain to interact with the application, which can lead to data leakage or other security issues.

Steps

  1. Add the X-Permitted-Cross-Domain-Policies header to the application.
  2. Set the value of the header to 'none' to disable cross-domain policies.
  3. Ensure that the header is set for all responses in the application.
  4. Test the application to verify that the header is correctly set.

Secure Code Example

# app/controllers/application_controller.rb
class ApplicationController < ActionController::Base
  before_action :set_headers

  private

  def set_headers
    response.headers['X-Permitted-Cross-Domain-Policies'] = 'none'
  end
  # ...
end

The above code fixes the vulnerability by setting the `X-Permitted-Cross-Domain-Policies` header to 'none' for all responses from the application. This is done using a `before_action` callback in the `ApplicationController`, which ensures that the header is set before any action in any controller in the application. The `set_headers` method is defined as a private method to prevent it from being called as an action. This method sets the `X-Permitted-Cross-Domain-Policies` header in the response to 'none', which effectively disables any cross-domain policies. This fix ensures that the application is not vulnerable to attacks that exploit insecure or unset `X-Permitted-Cross-Domain-Policies` headers. After implementing this fix, it's important to test the application to verify that the header is correctly set for all responses.

References

  • 137 - Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies

    • Last updated

    2023/09/18