Protect Ory Docs against Clickjacking Attacks

To protect against Clickjacking Attacks, it is best practice to:
- Preventing the browser from loading the page in frame using the [X-Frame-Options](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) or [Content Security Policy (frame-ancestors)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) HTTP headers.
- Preventing session cookies from being included when the page is loaded in a frame using the [SameSite](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) cookie attribute.

Full details can be found here: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html

**Current Status**
- CSP Headers: not set
- x-frame-options: not set

For the CSP headers, we need to define all aspects, not only `frame-ancestors` and have a report-only testing phase. @vinckr I don't think we are currently embedding the docs somewhere else via iframes, or?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Protect Ory Docs against Clickjacking Attacks #1826

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Protect Ory Docs against Clickjacking Attacks #1826

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions