I am working with the security team at my work to get a website accredited before I can publish it...It is a very simple webpage hosted on Github pages with only some javascript.
I kind of reached a roadblock in terms of creating the code to secure the website enough. Since this is a community of security experts, I thought I would ask.
The problem is that according to security:
the site is still has frameable response, to effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself.
So, I am trying to add all the security code that I can think of in terms of meta tags and script (this is github pages and I can't do any .htaccess)
Here are my meta. (I know some of them don't work on firefox or chrome, but I added anyway)
<meta http-equiv="Content-Security-Policy" content="
default-src 'self';
font-src 'self' https://fonts.gstatic.com;
frame-src 'self' https://a.tiles.mapbox.com https://docs.google.com/ https://www.mapbox.com;
img-src 'self';
script-src 'self' https://ajax.googleapis.com 'unsafe-inline' ;
style-src 'self' https://fonts.googleapis.com/ 'unsafe-inline' ;
">
<meta http-equiv="Access-Control-Allow-Origin" content="Origin">
<meta http-equiv="X-XSS-Protection" content="1;mode=block" always>
<meta http-equiv="X-Content-Type-Options" content="'nosniff' always">
<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate" />
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="0" />
<meta name="referrer" content="no-referrer" />
<meta http-equiv="X-Frame-Options" content="deny">
Then I added a script just after the head tag at the start of the page
<script>
if (self == top) {
var theBody = document.getElementsByTagName('body')[0];
theBody.style.display = "block";
}
else {
top.location = self.location;
}
</script>
I test locally, if a page tries to embed the website, it is redirected to the actual website.
Upon discussion, I still receive the feedback that
Kindly check if SAME ORIGIN policy in place , this will may resolve the issue for remaining web browsers.
I am honestly a little bit lost on what else should i secure. I think the problem for the security team is that in the response headers they still see
access-control-allow-origin:*
any help is really really appreciate... what am i not understanding? which meta tags or javascript am i missing? is there a way to change access-control-allow-origin:*
for github pages?
I love the security team and creating secure code... I don't want to frustrate them and myself more.
Any help is appreciated.