Webstudio
Log in

Join the Webstudio community

Updated 3 weeks ago

Securing Websites Against Clickjacking in the Healthcare Industry

At a glance

The community members discuss adding X-Frame-Options to protect against clickjacking, particularly for websites in the healthcare industry. They explore alternative solutions like SameSite cookie attributes and frame-breaking scripts. Some community members suggest that the restriction should have been an opt-in feature rather than the default, as it caused issues for those who needed to embed their sites in iframes. The community members indicate that they will consider adding an option to allow iframe embedding for trusted sites.

<answer>We actually lost a use case where some people need to be able to embed their site in the iframe. Not sure this was the right move to have the restriction by default. It should have been an opt-in feature.</answer>
Useful resources
bbiolion
·
Are you guys able to add X frame options to the servers because I don't want other people to iframe the websites I make? (cause I'm in the healthcare industry, I don't want to be vulnerable to clickjacking)
OOleg Isonen
Marked as solution
We actually lost a use case where some people need to be able to embed their site in the iframe. Not sure this was the right move to have the restriction by default.

It should have been an opt-in feature.
View full solution
1
I
b
O
31 comments
IIvan Starkov
Do you know specific case, like you have a site without SameSite cookie attributes or what?
IIvan Starkov
Cookies with a SameSite attribute of either strict or lax will not be included in requests so it's already a good prevention. Does anyone modern days use none?
IIvan Starkov
Anyway it
IIvan Starkov
is valid to allow users to select header. Until we do that you can also use techniques like
https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html#best-for-now-legacy-browser-frame-breaking-script
bbiolion
What's SameSite cookie attributes? does it solve the embeding problem and is it easy to setup in webstudio?
IIvan Starkov
clickjacking is valid if it's used during some login process, etc. So some actions will be executed on user behalf
IIvan Starkov
So user need to be logged in
IIvan Starkov
SOmewhere, i.e. have cookies
IIvan Starkov
We don't have sessions or logins, so Ive asked about specific uecase you have
bbiolion
btw, is there a way that I can get an A for a webstudio from this tester, using get it close to that with other builders: https://securityheaders.com/?q=https%3A%2F%2Fmarketplace-saas-landing-page-vv5th.wstd.io&followRedirects=on
IIvan Starkov
Ok gotcha to have A point from some tool -) it's valid concern, we will check
bbiolion
appreciate it 🙏
IIvan Starkov
We will try to add it ASAP
OOleg Isonen
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

x-frame-options are deprecated, browser vendors are telling not to use it, that makes it look like the testing tool is outdated
OOleg Isonen
Here for example webflow is not passing it
https://securityheaders.com/?q=webflow.com&followRedirects=on
bbiolion
Ok. It's not that I care about having x frame options, it's more of protecting my site from clickjacking, and if there's anything I can do protect against that
IIvan Starkov
Done
AArisa
Hi, Ivan! I noticed that my iframe embedding for my Webstudio site stopped working on my Weblium site, possibly after your recent update to enhance clickjacking protection. Could you please advise on how I can modify the security settings to allow embedding on specific trusted sites (e.g., my Weblium site)? If there’s a way to configure the Content-Security-Policy or X-Frame-Options headers to permit this while maintaining security, I’d appreciate your guidance.
OOleg Isonen
interesting situation, may I ask what is the use case? why are you embedding webstudio site inside weblium site?
AArisa
Hi, Oleg! The embedded Webstudio page displays a list of upcoming events pulled from an Airtable base. My client prefers a no-code/low-code solution to manage their site independently, so I initially used Weblium for the main platform and Webstudio for the event list embed. At the time, Webstudio’s content mode wasn’t available, so this setup was the best option. If there’s a way to enable iframe embedding for trusted sites like my Weblium project, I’d appreciate your advice!
OOleg Isonen
pls dm me your project
OOleg Isonen
right now there is none, we will whitelist your project and then consider adding an option
IIvan Starkov
Will do in 1h
IIvan Starkov
Should be fixed
IIvan Starkov
@Arisa plz check
AArisa
Yes, it's working now. Thank you both!!
bbiolion
@Ivan Starkov and @Oleg Isonen, I just noticed this, you are the goat! thanks a lot!
OOleg Isonen
We actually lost a use case where some people need to be able to embed their site in the iframe. Not sure this was the right move to have the restriction by default.

It should have been an opt-in feature.
OOleg Isonen
I am still considering removing it by default and letting users opt-in via settings.
bbiolion
after our conversation, I also realized that as well, but if it was an option for each website, it would be great
OOleg Isonen
I will ping you directly if we decide to add the setting and remove the default, so you can switch.
Add a reply
Sign up and join the conversation on Discord