Unsanitized user input in UI
- Rule ID: php_symfony_ui_redress
- Languages: php
- Source: ui_redress.yml
Description
Incorporating unsanitized user input to configure the X-Frame-Options or Content-Security-Policy HTTP headers exposes your application to UI redress attacks, commonly known as clickjacking. This vulnerability can be exploited to deceive users into performing unintended actions on your website.
Remediations
- Do set the X-Frame-Options header to "DENY" to prevent your website from being framed by potentially malicious sites.
$response->headers->set("X-Frame-Options", "DENY");
- Do configure the Content-Security-Policy header with "frame-ancestors 'none'" to disallow embedding of your site's content in iframes, objects, or embed tags on unauthorized websites.
$response->headers->set("Content-Security-Policy", "frame-ancestors 'none'");
- Do not use user input directly to set these headers without proper sanitization and validation.
References
Associated CWE
OWASP Top 10
Configuration
To skip this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --skip-rule=php_symfony_ui_redress
To run only this rule during a scan, use the following flag
bearer scan /path/to/your-project/ --only-rule=php_symfony_ui_redress