Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add security headers to nextjs config to prevent XSS attacks and clickjacking #4841

Open
geleeroyale opened this issue Oct 14, 2024 · 5 comments
Assignees

Comments

@geleeroyale
Copy link
Collaborator

We got some reports in the past that it is possible to run a "clickjacking" attack against giveth.io

(essentially people could embed the whole site in an iframe and display it on their site, changing some links in their portal to their own)

Now this is known and has been like that for a long time without being exploited (its also quite hard to do something useful) ... regardless, we should probably fix it.

https://dev.to/theinfosecguy/how-to-protect-your-nextjs-website-from-clickjacking-2jbg
https://nextjs.org/docs/pages/building-your-application/configuring/content-security-policy

@github-project-automation github-project-automation bot moved this to New Issues in All-Devs Oct 14, 2024
@kkatusic kkatusic self-assigned this Oct 15, 2024
@kkatusic kkatusic moved this from New Issues to In Progress in All-Devs Oct 15, 2024
@kkatusic
Copy link
Collaborator

@geleeroyale can you check do we have some default vercel headers serving Giveth app? thx

@geleeroyale
Copy link
Collaborator Author

geleeroyale commented Oct 16, 2024

@kkatusic the frontend config should be located in next-config.ts and we have CORS configured on the reverse proxy to access impact-graph.

Apart from that I think we did not set any headers.

Here is the CORS config we are using:

# CORS Config Block Directive
(cors) {
    @cors_preflight {
        method OPTIONS
    }
    @corsOrigin {
        header_regexp Origin ^https?://([a-zA-Z0-9-]+\.)*vercel\.app$|^https?://localhost(:[0-9]+)?$|^https?://({$DOMAIN_WHITELIST})$
    }

    handle @cors_preflight {
        header {
            Access-Control-Allow-Origin "{http.request.header.Origin}"
            Access-Control-Allow-Credentials true
            Access-Control-Allow-Headers "*"
            Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE"
            Access-Control-Max-Age "3600"
            Vary Origin
            defer
        }
        respond "" 204
    }

    handle @corsOrigin {
        header {
            Access-Control-Allow-Origin "{http.request.header.Origin}"
            Access-Control-Allow-Credentials true
            Access-Control-Expose-Headers "*"
            Vary Origin
            defer
        }
    }
}

(cors-sse) {
    header {
        Access-Control-Allow-Origin "*"
        Access-Control-Allow-Credentials true
        Access-Control-Expose-Headers "*"
        Vary Origin
        defer
    }
}

@kkatusic
Copy link
Collaborator

@geleeroyale ok and that's ok, but look at header that you get from giveth.io and look, what extra we defined inside next.config.js file:

headers: [
but same never loads to browser

@geleeroyale
Copy link
Collaborator Author

Yes - It looks like its not properly configured. Please take a deeper look into this.

@kkatusic
Copy link
Collaborator

@geleeroyale can you test inside preview link these security headers:

https://giveth-dapps-v2-git-feat-securityheaders-givethio.vercel.app/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: In Progress
Development

No branches or pull requests

2 participants