gaspersic/freeCodeCamp
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Files
6b3c61c73757d6ffe2ea332cbc44dad7948d1175
freeCodeCamp/curriculum/challenges/english/09-information-security/information-security-with-helmetjs/mitigate-the-risk-of-clickjacking-with-helmet.frameguard.english.md
Kristofer Koishigawa 6b3c61c737 feat: update backend project links (#39314) 
* feat: update backend project links

Replace solution and remix Glitch links with equivalent Repl.it links in backend projects/challenges and intro pages.

* fix: link and Repl.it casing

* fix: update mention of glitch in testing challenge

* Apply suggestions from code review

Co-authored-by: Oliver Eyton-Williams <ojeytonwilliams@gmail.com>

Co-authored-by: Mrugesh Mohapatra <1884376+raisedadead@users.noreply.github.com>
Co-authored-by: Oliver Eyton-Williams <ojeytonwilliams@gmail.com>
2020-08-17 14:38:16 -07:00

2.2 KiB
Raw Blame History

id, title, challengeType, isHidden, forumTopicId
id title challengeType isHidden forumTopicId
587d8247367417b2b2512c38 Mitigate the Risk of Clickjacking with helmet.frameguard() 2 false 301582

Description

As a reminder, this project is being built upon the following starter project on Repl.it, or cloned from GitHub. Your page could be put in a <frame> or <iframe> without your consent. This can result in clickjacking attacks, among other things. Clickjacking is a technique of tricking a user into interacting with a page different from what the user thinks it is. This can be obtained executing your page in a malicious context, by mean of iframing. In that context a hacker can put a hidden layer over your page. Hidden buttons can be used to run bad scripts. This middleware sets the X-Frame-Options header. It restricts who can put your site in a frame. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM. We dont need our app to be framed.

Instructions

Use helmet.frameguard() passing with the configuration object {action: 'deny'}.

Tests

tests:
  - text: helmet.frameguard() middleware should be mounted correctly
    testString: getUserInput => $.get(getUserInput('url') + '/_api/app-info').then(data => { assert.include(data.appStack, 'frameguard', 'helmet.frameguard() middleware is not mounted correctly'); }, xhr => { throw new Error(xhr.responseText); })
  - text: helmet.frameguard() 'action' should be set to 'DENY'
    testString: getUserInput => $.get(getUserInput('url') + '/_api/app-info').then(data => { assert.property(data.headers, 'x-frame-options'); assert.equal(data.headers['x-frame-options'], 'DENY');}, xhr => { throw new Error(xhr.responseText); })

Challenge Seed

Solution

/**
  Backend challenges don't need solutions, 
  because they would need to be tested against a full working project. 
  Please check our contributing guidelines to learn more.
*/