Reputation: 2792
Prevent "clickjacking" aka "UI redress attack" through AWS security web services
It is possible to prevent Clickjacking or "UI redress attack" through any of AWS security services like WAF or CloudFront?
https://www.owasp.org/index.php/Clickjacking
It is known that certain security HTTP headers can be added to user requests that would instruct browsers to enforce certain security measures as follows,
- Strict Transport Security
- Content-Security-Policy
- X-Content-Type-Options
- X-Frame-Options
- X-XSS-Protection
- Referrer-Policy
These can be configured at the back end code level, however, I would like to know if one desire not to set these parameters at the application level, can this be done at the AWS level using any of their security gateway services like WAF or CloudFront?
Upvotes: 2
Views: 2147
Answers (2)
Reputation: 2914
EDIT: This has a similar answer here:
For those that come along now, you can use Lambda@Edge to add HSTS headers as well as other "frame-buster" headers like x-frame-options and referrer-policy.
This is quite cheap, working out to about 30 cents per million requests.
This link from the AWS networking and content delivery blog describes how to do this in detail.
It is too long to repeat the entire contents here but essentially it describes the following process flow:
Here is how the process works:
- Viewer navigates to website.
- Before CloudFront serves content from the cache it will trigger any Lambda function associated with the Viewer Request trigger for that behavior.
- CloudFront serves content from the cache if available, otherwise it goes to step 4.
- Only after CloudFront cache ‘Miss’, Origin Request trigger is fired for that behavior.
- S3 Origin returns content.
- After content is returned from S3 but before being cached in CloudFront, Origin Response trigger is fired.
- After content is cached in CloudFront, Viewer Response trigger is fired and is the final step before viewer receives content.
- Viewer receives content.
Once again, in case the blog linked to disappears, the below code is a sample to add security headers via Lambda (remembering this is to be run by CloudFront using Lambda@Edge integration):
'use strict';
exports.handler = (event, context, callback) => {
//Get contents of response
const response = event.Records[0].cf.response;
const headers = response.headers;
//Set new headers
headers['strict-transport-security'] = [{key: 'Strict-Transport-Security', value: 'max-age=63072000; includeSubdomains; preload'}];
headers['content-security-policy'] = [{key: 'Content-Security-Policy', value: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'"}];
headers['x-content-type-options'] = [{key: 'X-Content-Type-Options', value: 'nosniff'}];
headers['x-frame-options'] = [{key: 'X-Frame-Options', value: 'DENY'}];
headers['x-xss-protection'] = [{key: 'X-XSS-Protection', value: '1; mode=block'}];
headers['referrer-policy'] = [{key: 'Referrer-Policy', value: 'same-origin'}];
//Return modified response
callback(null, response);
};
Upvotes: 1
Reputation: 4451
You can take some actions at the Server level by adding headers in response mentioned in below link:
Upvotes: 1
Related Questions
- Options to secure website admin panel access - only trusted users access it
- AWS EC2 data at rest - security
- Avoid clickjacking for Java web application when opened in same session
- OWASP security guideline to protect restapi against clickjacking, are they acurate?
- Securing AWS API Gateway
- AWS EC2 security to only allow HTTP requests originating as a result of browser accessing static s3 content
- Authentication Mechanisms on AWS
- AWS S3 browser upload prevent signature hijacking
- How to protect widgets from forged requests
- Securing ClickOnce hosting at Amazon S3