Greeting All ,
i have just started implementing CSP in my website development.
i have Nodejs/express server that serves react js with redux and react router 4
i have used create react app for frontend
i found that in nodejs there is a module called helmet and csp that i have implemented them
and i managed to get the response header as shown in the image below
but nothing happend in the frontend app unless i add the meta tag
<meta http-equiv="Content-Security-Policy" content=" frame-src 'none'">
by this meta tag i was able successfully not to load any iframe in the page but could not manage to do that without the tag
so here is my questions
is there a need for nodejs helmet module in my app ?
if so then how to integrate the nodejs helmet module with my react app
is using the meta tag of CSP in the index.html the preferred way to do it
any help is appreciated thanks
In your example, the header set by helmet: x-frame-options has the value 'SAMEORIGIN', in your meta tag it's 'none'. They just have different values, that's why the different behaviour.
Just change the config:
// ... code to create your express instance here
app.use(helmet({
frameguard: {
action: 'deny'
}
// other helmet settings...
}));
// other app middleware and starting express here...
Always use the HTTP headers rather than the meta tag. Meta tags are just DOM elements, hence can be tampered with. Not so easily with headers and by using headers you ask browsers to comply with your CSP.
RFC 7034:
Furthermore, X-Frame-Options must be sent as an HTTP header field and
is explicitly ignored by user agents when declared with a meta
http-equiv tag.
Related
I am trying to create web application using React and Node that is secure from Click jacking, I have understood that i need to either set the X-Frame-Options to deny manually or use helmet to prevent other sites loading my web app using iframes. I have set the below config in my index.js of server
const helmet = require("helmet")
app.use(helmet())
When i try to call a get Login API from inside an iframe of a decoy website(basic html page), i am getting a status 200 response and the web app is loaded into the iframe. But i believe the web app should fail to load in the iframe of decoy site. My Login component looks something like this.
function Login(){
useEffect(()=>{
Axios.get(`http://localhost:8888/isLoggedIn`, {
headers:{
"x-access-token": localStorage.getItem("token")
}
}).then((response)=>{
console.log(response)
if(response.data.loggedin){
navigate("/")
}
})
}
As mentioned in the problem, I am getting 200 for isLoggedIn call.
When i checked the api call from the decoy site network tab, I see the isLoggedIn call has origin set to "http://localhost:3000", which is actual domain of react app.
Below is the decoy site html code.
<body>
<div id="decoy_website">
Decoy Web Site for Secure Login Page
</div>
<iframe id="target_website" src="http://localhost:3000/login">
</iframe>
</body>
Please let me know if i am not using the helmet the correct way, or the additional steps that need to be done to prevent my site from click jacking.
So i tried to make my first request with passport set up, im being blocked by cors even if i set up my dashboard and my cors options are correctly done.
Also none of my console.logs are showing up even if i can see the requests sent from the front end like in 3rd pic. (this by using the chrome plugin to bypass cors)
passportSetUp
auth function
cors bypassed with chrome plugin
I solved it by using an a tag instead of making the actual fetch request.
example :
<a href="link to my backend route" </a>
In this way the href will make a get request to that link!
We have deployed the api on azure and trying to consume in our web app written in angular 5. However when we try to consume the api we are getting following errors.
Chrome Mixed Content: The page at 'https://somedevapp.azurewebsites.net/#/managesomething' was loaded
over HTTPS, but requested an insecure XMLHttpRequest endpoint
'http://admindevapp.azurewebsites.net/api/data/getdata'. This request
has been blocked; the content must be served over HTTPS.
Firefox Blocked loading mixed active content
Is this issue related to CORS? How to resolve this issue?
Any help on this appreciated!
If your web app is being hosted over HTTPs as you've indicated, then all external resources it is consuming (CDN, scripts, CSS files, API calls) should also use SSL and be secured through HTTPs. Think about it. It would defeat the purpose of your app being secure, if your app was in turn making insecure requests to an API.
You can either therefore:
As Chrome suggests, change your API calls to use HTTPs (recommended)
Use HTTP instead of HTTPs
Add the following meta tag to your <head> element in your HTML:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests" />
More information about this can be found here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests.
Use this ---- Add in your head section
I will try this with my weather application & now it's working fine
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
only add this on header section.
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
you can use this only if your resource API supports the HTTPS request.
example: "http://ip-api.com/json" and "https://ip-api.com/json" both will not return the same response if "ip-api.com" doesn't support HTTPS requests.
The meta tag below helps to prevent Chrome complaining about HTTP request made. I was working on a class projects (a weather app) and the API call over HTTP and adding an S to the HTTP call doesn't help. Since this a project a there no major issue. The meta tag share above by #Medhi Ibrahim does the trick.
<meta
http-equiv="Content-Security-Policy"
content="upgrade-insecure-requests"
/>
i tried to remove the "meta solution" on index.
And removed the "s" on environment.prod.ts
When i sign in " http://app.finoview.com" the api Nestjs works.
But when i try to log in "https://finoview.com", angular works, but the api nestjs doesnt work.
Here is the image:
I know there are tons of questions regarding CORS policy in HTML5 tag.
All of them are talking about the server side settings that you need to change the access headers in the server settings or put the headers yourself in the php file etc.
But i am loading images using Loader class and i don't have access to that server.
how do i change the :
Access-Control-Allow-Origin to *
i tried pushing the headers with the URL Request :
urlRequest.requestHeaders.push( new URLRequestHeader( 'Access-Control-Allow-Origin', '*' ) );
but no matter what i did :
i get this error :
Complete code snippet:
loader = new Loader();
loader.contentLoaderInfo.addEventListener(Event.COMPLETE, onImageLoadComplete);
var request:URLRequest = new URLRequest();
request.url = "http://www.someserver.com/some_image.jpg";
request.contentType = "image/jpeg"; //tried it didn't make a difference
request.requestHeaders.push( new URLRequestHeader( 'Access-Control-Allow-Origin', '*' ) );
loader.load(request);
In order to enable cross-origin requests, you will need to add the header on the server side. The alternative is to disable web security:
Disable same origin policy in Chrome
There was a window of time on OpenFL 6.3.0 (before 6.4.0 was released) where there was a regression in the default behavior of openfl.net.Loader (in regards to CORS), but this is resolved in OpenFL 6.4.0 or newer.
Is this for development purposes? I only ask because of the 127.0.0.1 URL involved. It looks like you are hosting your game on 127.0.0.1:3000 and requesting a URL at www.___.com/___.jpg, correct?
Not considering OpenFL specifically, one typical solution would be that the server at 127.0.0.1:3000 could have a proxy capability, fetching and serving images from another web server, so that the browser doesn't see the difference.
This wouldn't help you in the real world, but if you're talking about a development environment, perhaps it's be a workaround.
I cannot access a custom heroku API endpoint in a react/redux app. The heroku endpoint loads up fine in a browser, and I can see the network request coming back on my console, so it seems something in my app itself is preventing it from returning.
It's the classic 'No 'Access-Control-Allow-Origin' header is present on the requested resource' error, but what's perplexing is that I can use another endpoint (such as openweather's API) and don't get this error.
Do I need to use Express or other middleware to deal with Heroku specifically? I'm creating a store with ReduxPromise middleware right now and am using Axios to make the request. Or is there a server side configuration on Heroku that might change this?
Thanks for your help, pretty new to react/redux/node =)
This is a CORS issue, you need to add a cors configuration into your API request and accept the origins on the server side using access-control-allow-origin header and accepting the referrer url of the request.
These are my configuration options when using redux-api to make the requests, look at the documentation for your specific framework:
export const baseOptions = {
mode: 'cors',
credentials: 'include',
headers
}