2.1 KiB
| id | title | challengeType | forumTopicId | dashedName |
|---|---|---|---|---|
| 587d8247367417b2b2512c38 | Mitigate the Risk of Clickjacking with helmet.frameguard() | 2 | 301582 | mitigate-the-risk-of-clickjacking-with-helmet-frameguard |
--description--
As a reminder, this project is being built upon the following starter project on Replit, or cloned from GitHub.
Your page could be put in a <frame> or <iframe> without your consent. This can result in clickjacking attacks, among other things. Clickjacking is a technique of tricking a user into interacting with a page different from what the user thinks it is. This can be obtained executing your page in a malicious context, by mean of iframing. In that context a hacker can put a hidden layer over your page. Hidden buttons can be used to run bad scripts. This middleware sets the X-Frame-Options header. It restricts who can put your site in a frame. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM.
We don’t need our app to be framed.
--instructions--
Use helmet.frameguard() passing with the configuration object {action: 'deny'}.
--hints--
helmet.frameguard() middleware should be mounted correctly
(getUserInput) =>
$.get(getUserInput('url') + '/_api/app-info').then(
(data) => {
assert.include(
data.appStack,
'frameguard',
'helmet.frameguard() middleware is not mounted correctly'
);
},
(xhr) => {
throw new Error(xhr.responseText);
}
);
helmet.frameguard() 'action' should be set to 'DENY'
(getUserInput) =>
$.get(getUserInput('url') + '/_api/app-info').then(
(data) => {
assert.property(data.headers, 'x-frame-options');
assert.equal(data.headers['x-frame-options'], 'DENY');
},
(xhr) => {
throw new Error(xhr.responseText);
}
);
--solutions--
/**
Backend challenges don't need solutions,
because they would need to be tested against a full working project.
Please check our contributing guidelines to learn more.
*/