On 07.02., Peter J. Philipp wrote: > On Tue, Feb 07, 2023 at 10:41:34AM +0000, Stuart Henderson wrote: > > On 2023/02/07 10:20, Peter J. Philipp wrote: > > > Hi, > > > > > > Arslan Kabeer (on the Internet) made me aware of clickjacking being done > > > on > > > my site using OpenBSD httpd. This following patch implements a RFC 7034 > > > protection called "noiframe" which disallows other sites (but not the same > > > site) to add an iframe to my site. > > > > > > The config change is like this: > > > > > > -----> > > > location "/" { > > > directory index index.html > > > noiframe > > > > Using a specific keyword for every site protection header that > > somebody might want seems a bit much. (There are other settings for > > x-frame-options, other headers like content-security-policy and > > x-content-type-options, and various deprecated ones). > > > > Wouldn't a general-purpose "set header X with the value Y" make > > more sense? > > Yes this makes more sense. Ignore my patch then, it was whipped up this > morning when I got the vulnerability report from Arslan. I'm unable to > look deeper and general purposely into this, though, I have other TODO's. > > It seems a mystery to me however how to add this header into httpd based > off the manual page if that is the hint. Perhaps the maintainer of this > program now has an idea what we need and can schedule programming for it. > > Best Regards, > -peter >
Using relayd(8) in front of httpd(8) you can easily handle any HTTP header the way you like: add or remove headers from both requests and responses. Cheers, Bruno