Announcement

Collapse
No announcement yet.

Clickjacking prevention

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Glenn Vergara
    replied
    You can add X-FRAME-OPTIONS at the server level via htaccess.

    https://htaccessbook.com/increase-se...urity-headers/

    Leave a comment:


  • Wayne Luke
    replied
    Clickjacking is a technique where a malicious website owner overlays a "link" to their site on the content of another website. This could be to gain things similar to likes on Social Media, Retweets, Pinterest Pins, etc... It could also be used to redirect users to their site. So the simplest way to prevent Clickjacking from other sites leading to your own is to not do that.

    Can a user create an elaborate clicking jacking routine so they get more likes on your site? Sure. My question would be why? What benefit will they get out of it. They can't get anymore access to your information or user data than they can if they just register. They can't use it to gain cookie information since your site would be in a hidden iframe. They can't use it to get password information, again your site is in a hidden iframe. Even if they somehow included Javascript in the hidden iframe of your site, they can't ask for this information. We don't allow Javascript to use our cookies. The user's browser secures that. It is still your site. It would be as if the user visited directly in their browser.

    If you don't allow users to post HTML, they can't clickjack your members or try to set up a Phishing Scheme.
    Last edited by Wayne Luke; Tue 22nd Jan '19, 8:33am.

    Leave a comment:


  • In Omnibus
    replied
    Originally posted by Oore View Post
    HTML isn't allowed for users. I'm not concerned my users are doing clickjacking.

    I'm concerned my forum will be rendered in frames/iframes on third party websites for clickjacking. How to prevent this from happening and protect my users?
    You have to write your own Content-Security-Policy. There can't be a "one-policy-fits-all" CSP. There are a number of good resources for how to do this. Here's one:

    https://hacks.mozilla.org/2016/02/im...curity-policy/

    You can add any meta tags to the headinclude template.

    Leave a comment:


  • Oore
    replied
    HTML isn't allowed for users. I'm not concerned my users are doing clickjacking.

    I'm concerned my forum will be rendered in frames/iframes on third party websites for clickjacking. How to prevent this from happening and protect my users?

    Leave a comment:


  • In Omnibus
    commented on 's reply
    The only way anyone could do this is if you allow HTML. As Wayne Luke said the way to prevent this in vBulletin 5 is to disallow HTML, which is a per usergroup setting in the admin control panel. It would be highly unusual for any forum to allow any member to post HTML, including iFrames. In fact, the entire purpose of BBCode is to allow users to do certain things without using HTML.

  • Oore
    replied
    Clickjacking is usually from an external website by rendering another in a frame or an iframe.

    A solution to prevent this is to return the X-Frame-Options or Content-Security-Policy with the 'frame-ancestors' directive HTTP header with the page's response. This prevents the content being rendered from another site when using the frame or iframe HTML tags.

    Is there a section in vBulletin to configure the HTTP header?

    Leave a comment:


  • Wayne Luke
    replied
    Not sure how someone can do clickjacking with the default settings of a vBulletin 5 Installation. The obvious way to prevent this is to leave the "Can Use HTML" permission set to No for all users.

    Leave a comment:


  • Oore
    started a topic Clickjacking prevention

    Clickjacking prevention

    Hello,

    Is vBulletin having anything included to prevent clickjacking?

    Thanks!

    Regards,
    Oore
widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
Working...
X