Skip to content

[Pentest] Potential clickjacking attack#3707

Open
pini-sh-panda wants to merge 4 commits into
mlrun:feature/ig4from
pini-sh-panda:IG4-2936
Open

[Pentest] Potential clickjacking attack#3707
pini-sh-panda wants to merge 4 commits into
mlrun:feature/ig4from
pini-sh-panda:IG4-2936

Conversation

@pini-sh-panda

@pini-sh-panda pini-sh-panda commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

📝 Description

Adds X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'none' to all nginx responses to prevent clickjacking attacks.

🛠️ Changes Made

    # Clickjacking protection
    add_header X-Frame-Options "DENY" always;
    add_header Content-Security-Policy "frame-ancestors 'none';" always;

    # Strip upstream X-Frame-Options to avoid duplicate headers in browser response
    proxy_hide_header X-Frame-Options;

✅ Checklist

  • I have given the PR a well-structured title describing the domain and the specific change that was made
  • I tested the changes in the browser (locally or via preview build)
  • I confirmed that existing tests pass
  • I added or updated unit / integration tests (if needed)
  • I checked that this change doesn’t introduce new console warnings or lint / formatting errors
  • I updated the relevant Jira ticket with the appropriate details and status

🔗 References

🚨 Potentially Breaking Changes

  • Yes
  • No

Includes DRC change

  • Yes
  • No

If yes -> requires bump NPM version

🔍 Additional Notes

📸 Screenshots / Demos

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pini-sh-panda