3b056aa7b4
* replace repl.it with replit.com in the English version Replace repl.it to replit.com in the English version. Chinese and Spanish versions have the same issue. * Updated the repl.it to replit.com or Replit I changed the text from replit.com to Replit and added the changes to the files outside the curriculum folder. * Forgot removing one .com. There was on Replit.com that I missed when I reviewed the files. * Resolve conflicts I got an unable to auto merge so resolving conflicts and trying again. * try committing conflicts again * Trying the conflicts again * chore: fix typo in personal library Co-authored-by: Shaun Hamilton <51722130+ShaunSHamilton@users.noreply.github.com> Co-authored-by: gemmaf98 <44875585+gemmaf98@users.noreply.github.com> Co-authored-by: Mrugesh Mohapatra <1884376+raisedadead@users.noreply.github.com> Co-authored-by: Shaun Hamilton <51722130+ShaunSHamilton@users.noreply.github.com>
2.1 KiB
id, title, challengeType, forumTopicId, dashedName
| id | title | challengeType | forumTopicId | dashedName |
|---|---|---|---|---|
| 587d8247367417b2b2512c38 | Mitigate the Risk of Clickjacking with helmet.frameguard() | 2 | 301582 | mitigate-the-risk-of-clickjacking-with-helmet-frameguard |
--description--
As a reminder, this project is being built upon the following starter project on Replit, or cloned from GitHub.
Your page could be put in a <frame> or <iframe> without your consent. This can result in clickjacking attacks, among other things. Clickjacking is a technique of tricking a user into interacting with a page different from what the user thinks it is. This can be obtained executing your page in a malicious context, by mean of iframing. In that context a hacker can put a hidden layer over your page. Hidden buttons can be used to run bad scripts. This middleware sets the X-Frame-Options header. It restricts who can put your site in a frame. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM.
We don’t need our app to be framed.
--instructions--
Use helmet.frameguard() passing with the configuration object {action: 'deny'}.
--hints--
helmet.frameguard() middleware should be mounted correctly
(getUserInput) =>
$.get(getUserInput('url') + '/_api/app-info').then(
(data) => {
assert.include(
data.appStack,
'frameguard',
'helmet.frameguard() middleware is not mounted correctly'
);
},
(xhr) => {
throw new Error(xhr.responseText);
}
);
helmet.frameguard() 'action' should be set to 'DENY'
(getUserInput) =>
$.get(getUserInput('url') + '/_api/app-info').then(
(data) => {
assert.property(data.headers, 'x-frame-options');
assert.equal(data.headers['x-frame-options'], 'DENY');
},
(xhr) => {
throw new Error(xhr.responseText);
}
);
--solutions--
/**
Backend challenges don't need solutions,
because they would need to be tested against a full working project.
Please check our contributing guidelines to learn more.
*/