Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add security headers to nextjs config to prevent XSS attacks and clickjacking #4841

Open
geleeroyale opened this issue Oct 14, 2024 · 5 comments
Open

Add security headers to nextjs config to prevent XSS attacks and clickjacking #4841

geleeroyale opened this issue Oct 14, 2024 · 5 comments
Assignees
@kkatusic
Labels
Feature Request

Comments

@geleeroyale
Copy link
Collaborator

We got some reports in the past that it is possible to run a "clickjacking" attack against giveth.io

(essentially people could embed the whole site in an iframe and display it on their site, changing some links in their portal to their own)

Now this is known and has been like that for a long time without being exploited (its also quite hard to do something useful) ... regardless, we should probably fix it.

https://dev.to/theinfosecguy/how-to-protect-your-nextjs-website-from-clickjacking-2jbg
https://nextjs.org/docs/pages/building-your-application/configuring/content-security-policy
@kkatusic kkatusic mentioned this issue Oct 15, 2024
Open
@kkatusic kkatusic self-assigned this Oct 15, 2024
@kkatusic
Copy link
Collaborator

@geleeroyale can you check do we have some default vercel headers serving Giveth app? thx

@geleeroyale
Copy link
Collaborator Author

geleeroyale commented Oct 16, 2024
edited
Loading

@kkatusic the frontend config should be located in next-config.ts and we have CORS configured on the reverse proxy to access impact-graph.

Apart from that I think we did not set any headers.

Here is the CORS config we are using:

# CORS Config Block Directive
(cors) {
    @cors_preflight {
        method OPTIONS
    }
    @corsOrigin {
        header_regexp Origin ^https?://([a-zA-Z0-9-]+\.)*vercel\.app$|^https?://localhost(:[0-9]+)?$|^https?://({$DOMAIN_WHITELIST})$
    }

    handle @cors_preflight {
        header {
            Access-Control-Allow-Origin "{http.request.header.Origin}"
            Access-Control-Allow-Credentials true
            Access-Control-Allow-Headers "*"
            Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE"
            Access-Control-Max-Age "3600"
            Vary Origin
            defer
        }
        respond "" 204
    }

    handle @corsOrigin {
        header {
            Access-Control-Allow-Origin "{http.request.header.Origin}"
            Access-Control-Allow-Credentials true
            Access-Control-Expose-Headers "*"
            Vary Origin
            defer
        }
    }
}

(cors-sse) {
    header {
        Access-Control-Allow-Origin "*"
        Access-Control-Allow-Credentials true
        Access-Control-Expose-Headers "*"
        Vary Origin
        defer
    }
}

@kkatusic
Copy link
Collaborator

@geleeroyale ok and that's ok, but look at header that you get from giveth.io and look, what extra we defined inside next.config.js file:

giveth-dapps-v2/next.config.js

Line 156 in 66e0051

headers: [
but same never loads to browser

@geleeroyale
Copy link
Collaborator Author

Yes - It looks like its not properly configured. Please take a deeper look into this.

@kkatusic
Copy link
Collaborator

@geleeroyale can you test inside preview link these security headers:

https://giveth-dapps-v2-git-feat-securityheaders-givethio.vercel.app/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kkatusic kkatusic

Labels
Feature Request
Projects
All-Devs
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
2 participants
@geleeroyale @kkatusic