Does your application let users do stuff by clicking on things? If so, you should use clickjacking protection to defend your site using the CSP frame-ancestors directive. What? You don’t spend all your free time studying the latest web specs and learning how to use them to protect your site?! Well, fortunately, we do.
If you have tCell running on your application it’s very straightforward to protect it from clickjacking attacks. tCell utilizes the frame-ancestors directive of Content Security Policy (CSP) to accomplish this task. Here’s how easy it is to set up and maintain clickjacking protection.
Setting Up Clickjacking Protection
To begin, go to Settings -> Policies -> Clickjacking and enable Report Only for the Clickjacking Enforcement Mode.
Then, select whether you want your application to only frame its own pages or if you would like to allow (whitelist) external URIs that are allowed to frame your pages. Add the Allowed URIs to the policy and let the application run a few days.
tCell adds the header for you and shows you the violation in our intuitive web interface so you don’t need to know the details of the CSP spec. This will allow you the opportunity to look at the Excluded URIs list to see any missed URIs that need to be added to your policy before you start blocking. Once you are confident in your URIs, set the Clickjacking Enforcement Mode to Block and Report.
Done! You and your users are now protected from clickjacking attacks. tCell does the heavy lifting and worries about the browsers changing over time. It also notifies you of all failed clickjacking attempts. Real world experience shows that it’s important to get these notifications as it’s possible your company could add a new partner website that needs to frame your pages. However, I am sure that at your company no one, like your marketing team, ever changes anything without immediately notifying the ops and security teams. 🙂
Note: If you don’t want to allow any type of framing, not even the application framing its own pages, then enable Block and Report for the Clickjacking Enforcement Mode and select the No one can frame my site (Block Mode Only) for the Frame Mode.
Clickjacking protection should be on every company’s radar to protect its users and reputation. To learn more about clickjacking, please check out my recent blog post – Intimate Thoughts on Clickjacking With Igor. We also have a lot of helpful tips around CPS, if you want to dive deeper –Top 3 Reasons to Get Started with Content Security Policy, Content Security Policy: Newer CSP Directives & Common Problems and 3 Simple Ways to Approach Content Security Policy.
Thanks for reading! If you have any questions about clickjacking protection with tCell, let us know.