Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Add Clickjacking Defense
  • Loading branch information
ikus060 committed Sep 8, 2022
1 parent 3c497da commit 7294bb7
Show file tree
Hide file tree
Showing 3 changed files with 24 additions and 6 deletions.
4 changes: 4 additions & 0 deletions README.md
Expand Up @@ -107,6 +107,10 @@ Professional support for Rdiffweb is available by contacting [IKUS Soft](https:/

# Changelog

## 2.4.1 (2022-09-08)

* Add Clickjacking Defense

## 2.4.0 (2022-06-21)

This new release brings a lot of improvement since the last version, multiple bug fixes
Expand Down
8 changes: 8 additions & 0 deletions rdiffweb/controller/tests/test_csrf.py
Expand Up @@ -71,3 +71,11 @@ def test_post_without_origin(self):
self.getPage('/', method='POST')
# Then the request is accepted with 200 OK
self.assertStatus(200)

def test_clickjacking_defense(self):
# Given a POST request made to rdiffweb
# When the request is made without an origin
self.getPage('/')
# Then the request is accepted with 200 OK
self.assertStatus(200)
self.assertHeaderItemValue('X-Frame-Options', 'DENY')
18 changes: 12 additions & 6 deletions rdiffweb/tools/security.py
Expand Up @@ -36,10 +36,13 @@ class CsrfAuth(HandlerTool):
"""
This tool provide CSRF mitigation.
First, by defining `SameSite=Lax` on the cookie
Second by validating the `Origin` and `Referer`.
* Define X-Frame-Options = DENY
* Define Cookies SameSite=Lax
* Validate `Origin` and `Referer` on POST, PUT, PATCH, DELETE
Ref.: https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
Ref.:
https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
"""

def __init__(self):
Expand All @@ -48,14 +51,17 @@ def __init__(self):
self._priority = 71

def _setup(self):
cherrypy.request.hooks.attach('before_finalize', self._set_same_site)
cherrypy.request.hooks.attach('before_finalize', self._set_headers)
return super()._setup()

def _set_same_site(self):
def _set_headers(self):
response = cherrypy.serving.response
# Define X-Frame-Options to avoid Clickjacking
response.headers['X-Frame-Options'] = 'DENY'
# Awaiting bug fix in cherrypy
# https://github.com/cherrypy/cherrypy/issues/1767
# Force SameSite to Lax
cookie = cherrypy.serving.response.cookie.get('session_id', None)
cookie = response.cookie.get('session_id', None)
if cookie:
cookie['samesite'] = 'Lax'

Expand Down

0 comments on commit 7294bb7

Please sign in to comment.