Helmet js: iframe blocking

benjaminadk · August 13, 2017, 2:01pm

I saw a video with quincy talking about beta fcc and how he was psyched on helmet and other security stuff that will be part of the core curriculum at some point.

anyways, i just added helmet to a node/express project i am working on. i got the hidePoweredBy header to work. for clarity, it lets you hide the fact that your app is an express app. it even lets you make up your own value that will appear in the x-powered-by header. my express app is now powered by Go version 1.8.3. so i know i have the helmet middleware and corresponding config object in the right spot. essentially, it is working. However…
54 AM
Helmet also offers this feature that is supposed to block people from putting your page in an iframe. apparently, hackers can have another invisible page in the background with your stuff over top in an iframe. they can trick users into clicking on a like button and or other more malicious things.

i figured i would test it out. so i launched my server from cloud 9 with my app. i then went to codepen and made an iframe pointing to my c9 url for the app. and it let me do it. i was under the impression that the following code blocked anyone from iframing my site anywhere.

app.use(helmet({
  hidePoweredBy: {setTo: 'Go 1.8.3'},
  frameguard: {action: 'deny'}
}));

maybe someone with more experience using helmet can help. the official docs don’t really show this sort of setup, they instead say just use app.use(helmet()) or app.use(helmet.frameguard({ action: 'deny' })) but in the fcc repo they recommend this sort of literal config object, which to me, is really the same thing as using the dot notation, i am just being more literal.

also, i haven’t seen the X-Frame-Options header anywhere in my dev tools. i am wondering which link in the chain is letting this happen, or if i am just missing something.

Edit: i have tried hard-reloads and remaking the codepen. i am so not an expert on http headers, but i think the issue is i am not getting the header to begin with. i am following helmet suggestion and putting it at the top of my middleware chain. maybe there is something with c9 that i don’t get.

anon52159105 · August 18, 2017, 1:25pm

Even if you block framing, there’s nothing stopping an attacker from embeding your page as an image in the background. This could use your authnicated session to send forged GET requests, this is known as cross-site-request-forgery (CSRF Attacks). This page (Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series) has some good information on blocking these types of attacked.

Yup CSRF attacks suck and are a pain to block. However blocking iframing doesn’t always stop this as you can embed the page URL as image.