Clickjacking in Rails
- Clickjacking is a type of network attack that automatically redirects a user to another page. It is worth noting that, as a rule, this type of attack does not harm your site and is used to increase the attendance of a third-party resource. In spite of this, the latest versions of Ruby have a mechanism that can prevent the redirects. To do it, the developer simply needs to add the HTTP header “X-Frame-Options: SAMEORIGIN” to the created pages.
- The default value in Rails is "SAMEORIGIN," which means framing on the same domain is allowed. There are two more options: "DENY" (no framing at all) and "ALLOWALL" (framing is allowed for the entire site).
- There are two main ways to prevent clickjacking:
- Sending the proper Content Security Policy (CSP) frame-ancestors directive response headers that instruct the browser to not allow framing from other domains. (This replaces the older X-Frame-Options HTTP headers.)
- Employing defensive code in the UI to ensure that the current frame is the most top level window
- The
frame-ancestors directive can be used in a Content-Security-Policy HTTP response header to indicate whether or not a browser should be allowed to render a page in a <frame> or <iframe>. Sites can use this to avoid Clickjacking attacks by ensuring that their content is not embedded into other sites.frame-ancestors allows a site to authorize multiple domains using the normal Content Security Policy semantics.
Content-Security-Policy: frame-ancestors 'none';
- This prevents any domain from framing the content. This setting is
recommended unless a specific need has been identified for framing.
Content-Security-Policy: frame-ancestors 'self';
- This only allows the current site to frame the content.
Content-Security-Policy: frame-ancestors 'self' *.somesite.com <https://myfriend.site.com>;
- This allows the current site, as well as any page on
somesite.com (using any protocol), and only the page myfriend.site.com, using HTTPS only on the default port (443).
Some other solutions
Thankfully, you have several methods that prevent clickjacking before the users are in danger.
- Prevent framing from other domains: Stop a hacker from putting an invisible overlay on your popular content. The only way that your page can get served in a frame with this configuration is if it's the same domain as the website.
- Moving the current frame to the top: This type of code ensures that the currently active frame is the one on the top, which makes it difficult to overlay the UI with hidden elements.
- Client-side anti-clickjacking add-ons: Some web browsers, such as Firefox, have add-ons that stop scripts from running on a webpage. This approach prevents the hacker from being able to execute the script.
- Add a framekiller to the website: Javascript has a framekiller function that stops pages from being pulled into an iFrame.
- Use a robust cybersecurity solution: A comprehensive cybersecurity solution, such as Forcepoint, considers multiple attack vectors when securing your website and systems from hackers.