Fix/clickjacking vulnerability fix

[atharv02-git]

Base Branch: 8.0.x

Note: Making a PR to thoth-tech/doubtfire-deploy branch only for peer review purpose.

Description

• This PR addresses Clickjacking and potential XSS vulnerabilities by adding appropriate security headers to the proxy-nginx.conf file used in production. These headers are now enforced at the outer reverse proxy layer (doubtfire-deploy) to ensure consistent protection across all services.
• The changes follow recommendations from the AppAttack x OnTrack vulnerability report and align with security best practices for modern web applications.

Note

Kindly go through the attached documentation first inorder to understand what this fix is about in detail and how it can be tested.

What was changed:

• Modified: production/shared-files/proxy-nginx.conf

Fixes # (Clickjacking vulnerability (AppAttack finding))

Type of change

• Bug fix (non-breaking change which fixes an issue)
• This change requires a documentation update

How Has This Been Tested?

• Used browser DevTools to inspect headers returned for application responses
• Yet to test Clickjacking Prevention in a Malicious <Iframe> Setup as listed in the report.

Testing Checklist:

• Tested in latest Chrome
• Needs to be tested inside a dedicated environment like kali linux inside a virtual box.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings @b0ink, @ibi420, and Iris

[ibi420]

This directly fixes the clickjacking vulnerability. From my test following the methods outlined in the documentation from Appattack, I was able to replicate this attack and confirm that this fix effectively stops the attack.

[lachlan-robinson]

Hey @atharv02-git, well done addressing the clickjacking vulnerability.

• X-Frame-Options: DENY prevents the page from being framed by any site, which will mitigate clickjacking attacks as intended.
• frame-ancestors 'none' is a more modern approach which addresses the issue as well.
• Overall, you have addressed the clickjacking concern here with redundancy which is good.

[aNebula]

LGTM.
Please open an upstream PR against 9.x branch of doubtfire-deploy .
In the description add reference of the upstream of thoth-tech/doubtfire-web#322 and vice-versa.

[atharv02-git]

LGTM. Please open an upstream PR against 9.x branch of doubtfire-deploy . In the description add reference of the upstream of thoth-tech/doubtfire-web#322 and vice-versa.

LGTM. Please open an upstream PR against 9.x branch of doubtfire-deploy . In the description add reference of the upstream of thoth-tech/doubtfire-web#322 and vice-versa.

Hi @aNebula,
I’ve opened the upstream Pull Request to the doubtfire-lms/doubtfire-deploy repository (9.x branch) as requested.
The PR description includes a reference to the related upstream PR for thoth-tech/doubtfire-web#322, as well as a cross-link back to the old deploy PR.