Add clickjacking protection headers (RFC 6749 Section 10.13 compliance) #38
Description
Summary
The authorization server is missing clickjacking protection as required by RFC 6749 Section 10.13. This allows the authorization endpoint
to be embedded in iframes, enabling potential clickjacking attacks.
Problem
In a clickjacking attack, an attacker can:
- Register a legitimate OAuth client
- Embed the authorization server's authorization page in a transparent iframe
- Overlay dummy buttons that align with the "Authorize" button
- Trick users into granting authorization without their knowledge
Currently, neither the auth server nor admin console set any frame-restricting headers.
RFC 6749 Requirement
For most newer browsers, avoidance of iframes can be enforced by the authorization server using the (non-standard) "x-frame-options"
header. This header can have two values, "deny" and "sameorigin", which will block any framing, or framing by sites with a different
origin, respectively.
Proposed Solution
Add a security headers middleware that sets:
- X-Frame-Options: DENY - For older browser compatibility
- Content-Security-Policy: frame-ancestors 'none' - Modern standard
Apply this middleware globally to both the auth server and admin console.
Affected Components
- src/authserver/internal/server/server.go
- src/adminconsole/internal/server/server.go
- New file: src/core/middleware/middleware_security_headers.go
Additional Context
Using DENY / 'none' rather than SAMEORIGIN since there's no legitimate use case for framing the authorization pages.