Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Clickjacking is especially scary because most web apps are probably vulnerable. The default httpd.conf that ships with most package managers doesn't include the X-Frame-Options header. (Perhaps it should.)

Based on my testing, it appears Rails does not add that header either. Do any other frameworks?



Rails 4 includes that as a default header[1] and has done since August 2012[2]

[1]: https://github.com/rails/rails/blob/master/guides/source/sec... [2]: https://github.com/rails/rails/commit/2a290f7f7cdf775491eda0...


It appears we're each partially right: If you generated a new Rails app after August 2012, you get the header by default. If you generated the app before August 2012, you do not get the header by default.

So PSA: Updating Rails in an existing app does not cause this header to be added. You must add it yourself in application.rb if it's not already there. See garethadams' footnote #2 above.


Django has a middleware: https://docs.djangoproject.com/en/dev/ref/clickjacking/

However, it is not turned on by default on old versions (<1.6) I believe, but latest versions should be fine: https://docs.djangoproject.com/en/dev/topics/http/middleware... .


Most frameworks/servers don't do that. It's bad design of web specs, not a bug actually. Developers don't have to remember about it... And yeah, I added default_headers to Rails a while ago.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: