Does the Couchbase Server have any way to enable clickjacking prevention?
I’ve received the following report from our security team and I’m looking for any possible solution.
Couchbase Community Server Version 4.5.0
root@cb-node-1:/# curl -vv http://localhost:8091/ui/index.html
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8091 (#0)
> GET /ui/index.html HTTP/1.1
> User-Agent: curl/7.40.0-DEV
> Host: localhost:8091
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Couchbase Server
< Pragma: no-cache
< Date: Wed, 11 Jan 2017 19:26:59 GMT
< Content-Type: text/html; charset=utf8
< Content-Length: 4827
< Cache-Control: must-revalidate
NOTE: Clickjacking prevention is not enabled in the response headers.
Couchbase Web Application Potentially Vulnerable to Clickjacking
Synopsis:
The remote web server may fail to mitigate a class of web application
vulnerabilities.
Description:
The remote web server does not set an X-Frame-Options response header
or a Content-Security-Policy ‘frame-ancestors’ response header in all
content responses. This could potentially expose the site to a
clickjacking or UI redress attack, in which an attacker can trick a
user into clicking an area of the vulnerable page that is different
than what the user perceives the page to be. This can result in a user
performing fraudulent or malicious transactions.
X-Frame-Options has been proposed by Microsoft as a way to mitigate
clickjacking attacks and is currently supported by all major browser
vendors.
Content-Security-Policy (CSP) has been proposed by the W3C Web
Application Security Working Group, with increasing support among
all major browser vendors, as a way to mitigate clickjacking and other
attacks. The ‘frame-ancestors’ policy directive restricts which
sources can embed the protected resource.
Note that while the X-Frame-Options and Content-Security-Policy
response headers are not the only mitigations for clickjacking, they
are currently the most reliable methods that can be detected through
automation. Therefore, this plugin may produce false positives if
other mitigation strategies (e.g., frame-busting JavaScript) are
deployed or if the page does not perform any security-sensitive
transactions.
Solution:
Return the X-Frame-Options or Content-Security-Policy (with the
’frame-ancestors’ directive) HTTP header with the page’s response.
This prevents the page’s content from being rendered by another site
when using the frame or iframe HTML tags.
See Also:
“http://www.nessus.org/u?399b1f56
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
http://en.wikipedia.org/wiki/Clickjacking”
Urls:
"The following pages do not use a clickjacking mitigation response header and contain a clickable event :