Opened 11 years ago
Closed 5 years ago
#40 closed enhancement (wontfix)
Security recomendations: secure header flag & clickjacking
| Reported by: | quinn | Owned by: | quinn |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Keywords: | Cc: |
Description
from the asafaweb scanner – https://asafaweb.com/Scan?Url=control.strangecode.com
Secure cookies: Warning
Requested URL: https://control.strangecode.com/login.php (POST 1,001 params) | Response URL: https://control.strangecode.com/login.php | Page title: Strangecode · Hosting Controls | HTTP status code: 200 (OK) | Response size: 5,262 bytes | Duration: 461 ms Overview Cookies served over HTTPS but not flagged as "secure" may be sent over an insecure connection by the browser. Often this may be a simple request for an asset such as a bitmap file but if it's on the same domain as the cookie is valid for then it will be sent in an insecure fashion. This poses a risk of interception via a man in the middle attack. Result It looks like a cookie is being served over HTTPS without the "secure" flag being set (name : value):
- _session : ega7g6pldi51uo5novjagjg6n0
Unless the cookie needs to be sent over an insecure connection, the "secure" flag should always be set to ensure it can only be sent with an HTTPS request. More reading C is for cookie, H is for hacker – understanding HTTP only and Secure cookies
Clickjacking: Warning
Requested URL: http://control.strangecode.com/ | Response URL: https://control.strangecode.com/login.php | Page title: Strangecode · Hosting Controls | HTTP status code: 200 (OK) | Response size: 5,013 bytes | Duration: 532 ms Overview Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs. Result It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site. More reading Clickjack attack – the hidden threat right in front of you
Change History (1)
comment:1 Changed 5 years ago by quinn
- Resolution set to wontfix
- Status changed from new to closed
This should be implemented in the http server layer.