How to deal with CSP and being contacted by a “security researcher”

Background

You might be approached by someone looking for money. They will give you this information (broken English included):

Summary:

X-Frame-Options ALLOW-FROM https://billing.example.com/login not supported by several Browser,

Steps To Reproduce:

1. Create a new HTML file
2. Put <iframe src="https://billing.example.com/login frameborder="0"></iframe>
3. Save the file
4. Open document in browser

Impact:

Attacker may tricked user, sending them malicious link then user open it clicked some image and their account unconsciously has been deactivated

Solution:

The vulnerability can be fixed by adding "frame-ancestors 'self';" to the CSP (Content-Security-Policy) header.

Although the “researcher” offers advice, implementing it is another issue altogether because of the crazy ridiculous amount of configuration options for CSP. So in order to keep you focused on MVP style config, here is what we did with NGinx and some advice on how to do it with Apache:

Evaluate Site for CSP Issues

First evaluate the site:

https://csp-evaluator.withgoogle.com/

Fix NGINX for iFrame Clickjacing

For NGinx, do this:

After location block, e.g.:

location / {
try_files $uri $uri/ /index.php?$query_string;
}
# 22 Sep 2022
# "Security Researcher" contact us and then added line below
# See here: https://root.bg/en/tutorials/nginx-content-security-policy-header/
# Test so: https://csp-evaluator.withgoogle.com/
add_header Content-Security-Policy "frame-ancestors 'self' billing.example.com;";

The important line is in bold. I’ve even included our comments because I assume as a responsible admin you’ll also comment your stuff for when the bus runs you over?

Now service nginx reload then:

Evaluate again. You might have some success but more work to do. The aim of this article is to get you going but would be lovely to hear from you in the comments section.

Fix Apache for CSP Click Jacking

Root access

• Add the following line in httpd.conf file:

Header always append X-Frame-Options SAMEORIGIN

.htaccess way

If you want to do it per site (or you don’t have root access), add the following line in the .htaccess file.

Header append X-FRAME-OPTIONS "SAMEORIGIN"

Conclusion

Web security is a huge and complex field. As you can see just adding click jacking protection isn’t entirely straightforward, and depends on your web server and if you have root access or not. Also the directives are worded completely different across two mainstream web server technologies. There you go, another day in the life of a server admin working under pressure to have perfect security.

References

Part 1

• https://geekflare.com/secure-apache-from-clickjacking-with-x-frame-options/
• https://whmcs.community/topic/301204-vulnerability-report-click-jacking/

Part 2

We’ve included a number of additional references, but be warned, everyone has their own little version of this config so it’s a lot of reading. At least our little MVP version (without the comments) means you can go and have lunch.

• https://content-security-policy.com/examples/nginx/
• https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache
• https://forums.cpanel.net/threads/understanding-content-security-policy.687341/
• https://forums.cpanel.net/threads/tips-for-htaccess.581461/