On 07.02., Peter J. Philipp wrote:
> On Tue, Feb 07, 2023 at 10:41:34AM +0000, Stuart Henderson wrote:
> > On 2023/02/07 10:20, Peter J. Philipp wrote:
> > > Hi,
> > >
> > > Arslan Kabeer (on the Internet) made me aware of clickjacking being done
> > > on
> > > my site using OpenBSD httpd. This following patch implements a RFC 7034
> > > protection called "noiframe" which disallows other sites (but not the same
> > > site) to add an iframe to my site.
> > >
> > > The config change is like this:
> > >
> > > ----->
> > > location "/" {
> > > directory index index.html
> > > noiframe
> >
> > Using a specific keyword for every site protection header that
> > somebody might want seems a bit much. (There are other settings for
> > x-frame-options, other headers like content-security-policy and
> > x-content-type-options, and various deprecated ones).
> >
> > Wouldn't a general-purpose "set header X with the value Y" make
> > more sense?
>
> Yes this makes more sense. Ignore my patch then, it was whipped up this
> morning when I got the vulnerability report from Arslan. I'm unable to
> look deeper and general purposely into this, though, I have other TODO's.
>
> It seems a mystery to me however how to add this header into httpd based
> off the manual page if that is the hint. Perhaps the maintainer of this
> program now has an idea what we need and can schedule programming for it.
>
> Best Regards,
> -peter
>
Using relayd(8) in front of httpd(8) you can easily handle any HTTP header
the way you like: add or remove headers from both requests and responses.
Cheers,
Bruno
