Skip to content

added security headers inside production/proxy-nginx.conf to avoid cl… #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
atharv2-git wants to merge 1 commit into from
Closed

added security headers inside production/proxy-nginx.conf to avoid cl… #31

atharv2-git wants to merge 1 commit into from

Conversation

@atharv2-git
Copy link

@atharv2-git atharv2-git commented Jun 20, 2025

Base Branch: 9.x

Note: This PR is made to doubtfire-lms/doubtfire-deploy as an upstream contribution after peer review, AppAttack security verification, and mentor approval.

Description

This PR adds security headers to the production reverse proxy configuration (proxy-nginx.conf) to mitigate Clickjacking and potential XSS vulnerabilities across all Doubtfire services.

  • These headers are enforced at the outer proxy level to ensure a consistent and centralized security model for upstream services like doubtfire-web.
  • The patch aligns with recommendations from the AppAttack x OnTrack security audit and modern web security best practices.

The corresponding inner doubtfire-web service PR is available at:
🔗 doubtfire-lms/doubtfire-web#946

Headers Added

  • X-Frame-Options: DENY
  • Content-Security-Policy: default-src 'self', and frame-ancestors 'none'

Both headers prevent the application from being embedded in <iframe> tags, effectively blocking clickjacking attempts.

What was changed

  • Modified file: production/shared-files/proxy-nginx.conf
  • Added security headers to HTTP response block to be applied globally at reverse proxy layer.

Fixes: Clickjacking vulnerability reported by AppAttack using <iframe> injection methods.

Reference PRs

Testing Summary

  • Verified that all production responses now include the expected security headers.
    • X-Frame-Options: DENY
    • Content-Security-Policy: default-src 'self', and frame-ancestors 'none'
  • Confirmed with browser DevTools that headers are applied globally and cannot be overridden downstream.
  • Peer review and attack simulation by AppAttack confirmed that malicious framing attempts are blocked.
  • Security validation approved by:
    • @ibi420 - confirmed header propagation and patch success
    • @lachlan-robinson - verified redundant defense and correct config
    • @DarrylO21 (AppAttack Lead) - validated real-world attack prevention
    • @theiris6 - verified production readiness
    • @aNebula - approved upstream PR after mentor review

Checklist

  • Headers added only to proxy-nginx.conf (no unrelated changes)
  • Forked cleanly from 9.x branch
  • All requested changes and reviews completed
  • Upstream web PR cross-linked

@atharv2-git atharv2-git mentioned this pull request Jun 20, 2025
Closed
4 tasks
This was referenced Jun 20, 2025
Open
Open
@b0ink
Copy link
Member

b0ink commented Nov 12, 2025

This change on its own won't be compatible with the new LTI features, as we need OnTrack to be embedded in sites like Moodle, which is done using an iframe.

We could potentially whitelist permitted domains using this...

add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'self' https://moodle.example.edu;" always;

@b0ink b0ink closed this Nov 12, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@atharv2-git @b0ink