0

I am working with the security team at my work to get a website accredited before I can publish it...It is a very simple webpage hosted on Github pages with only some javascript.

I kind of reached a roadblock in terms of creating the code to secure the website enough. Since this is a community of security experts, I thought I would ask.

The problem is that according to security:

the site is still has frameable response, to effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself.

So, I am trying to add all the security code that I can think of in terms of meta tags and script (this is github pages and I can't do any .htaccess)

Here are my meta. (I know some of them don't work on firefox or chrome, but I added anyway)

<meta http-equiv="Content-Security-Policy" content="
default-src 'self';
font-src 'self' https://fonts.gstatic.com;
frame-src 'self' https://a.tiles.mapbox.com https://docs.google.com/ https://www.mapbox.com;
img-src 'self';
script-src 'self'  https://ajax.googleapis.com 'unsafe-inline' ;
style-src 'self' https://fonts.googleapis.com/ 'unsafe-inline' ;
">

<meta http-equiv="Access-Control-Allow-Origin" content="Origin">
<meta http-equiv="X-XSS-Protection"  content="1;mode=block" always>
<meta http-equiv="X-Content-Type-Options" content="'nosniff' always">

<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />


<meta name="referrer" content="no-referrer" />
<meta http-equiv="X-Frame-Options" content="deny">

Then I added a script just after the head tag at the start of the page

<script>
 if (self == top) {
     var theBody = document.getElementsByTagName('body')[0];
     theBody.style.display = "block";
     } 
  else {
    top.location = self.location;
     }
 </script>

I test locally, if a page tries to embed the website, it is redirected to the actual website.

Upon discussion, I still receive the feedback that

Kindly check if SAME ORIGIN policy in place , this will may resolve the issue for remaining web browsers.

I am honestly a little bit lost on what else should i secure. I think the problem for the security team is that in the response headers they still see

access-control-allow-origin:*

access control

any help is really really appreciate... what am i not understanding? which meta tags or javascript am i missing? is there a way to change access-control-allow-origin:* for github pages? I love the security team and creating secure code... I don't want to frustrate them and myself more.

Any help is appreciated.

mireille raad
  • 101
  • 4

1 Answers1

1

You can prevent clickjacking using the X-frame-options header as you mentioned but a more modern approach uses the CSP header. You best use both: CSP vs X-frame-options

Access-control-allow-origin:* should be avoided on state changing pages or private pages. Since you mention it is "hosted on github" I don't assume it has a dynamic nature and it will not accept request that modify state or show private info. Therefor the issue might be mute. The header allows another website to call your site and make the result accessible to the domain on which that site is hosted.

If you can explain what you site does, it might be clear what the impact is. I don't know if and how you can change github response headers. This post might be helpful

Specific to CORS on GitHub, it seems that all pages now return the wildcard source.

Silver
  • 1,824
  • 11
  • 23
  • Thank you for the explanation, it is good to have a third party opinion from people who work in security (especially on the ability to change github headers). – mireille raad Sep 01 '17 at 05:19