Re: X-Frame-Options and security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi, it looks like it doesn't occur with static files using lynx. I also checked with the homepage, and same result - X-Frame-Options only shows SAMEORIGIN and does not include GOFORIT.

$ lynx -head -dump https://linuxsecurity.com/static-content/linuxsecurity_advisories.xml                                                    
HTTP/1.1 200 OK
Date: Thu, 02 Sep 2021 15:08:39 GMT
Content-Type: text/xml
Connection: close
Last-Modified: Thu, 02 Sep 2021 15:00:02 GMT
ETag: W/"2282-5cb046ff9b981-gzip"
Cache-Control: max-age=300
Expires: Thu, 02 Sep 2021 15:12:20 GMT
Vary: Accept-Encoding,User-Agent
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Feature-Policy: geolocation 'self'; vibrate 'none'
Content-Security-Policy: frame-ancestors 'self'
Strict-Transport-Security: max-age=63072000; includeSubDomains
X-Content-Type-Options: nosniff
Age: 78
X-Cache: HIT from linuxsecurity.com
X-Cache-Detail: "cache hit" from linuxsecurity.com
CF-Cache-Status: DYNAMIC
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi
/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Uk
C0MKV7N2kk6yllw9WQA5IlyNXkPlocDP9bk4SdU3geD8ODmI7n2W11DoMmsuRiQ6RImPfZSkCRSGZynM
qvwjLGZ1qs5WN0WpFfnVoPI85wlD%2BF76XyY7Yc0T9zJz6G68YM"}],"group":"cf-nel","max_ag
e":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 6887a7a89cc5f031-EWR

Does that mean the test I used that showed GOFORIT is inaccurate?

The scan also reported that the permissions header was incorrect, and suggested we add the following:

Permissions-Policy: interest-cohort=()

Do you have any recommendations for other security settings that should be configured:

<IfModule mod_headers.c>
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Frame-Options "SAMEORIGIN"
        Header set X-Content-Type-Options "nosniff"
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
        Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
        Header set Content-Security-Policy "frame-ancestors 'self'"
</IfModule>

Thanks,
Dave

On 9/1/21 7:43 PM, Eric Covener wrote:
On Wed, Sep 1, 2021 at 7:30 PM Dave Wreski
<dwreski@xxxxxxxxxxxxxxxxxxx.invalid> wrote:

Hi,

I ran a security scan for X-Frame-Options (https://gf.dev/x-frame-options-test) on our site (https://linuxsecurity.com), and it returned SAMEORIGIN, which is good, but it also returned GOFORIT.

The only settings we have are the following:

<IfModule mod_headers.c>
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Frame-Options "SAMEORIGIN"
        Header set X-Content-Type-Options "nosniff"
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
        Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
        Header set Content-Security-Policy "frame-ancestors 'self'"
</IfModule>

No where are we setting GOFORIT. Is it somehow the default and necessary to explicitly disable it?

No. I'd veifry with a command-line client and see if it happens even
for static files.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux