UNPKG

iframeable

Version:

Checks is website is safe against iframing and clickjacking attack

github.com/bahmutov/iframeable

46 lines (39 loc) 1.52 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
#!/usr/bin/env node var request = require('request'); var check = require('check-types'); var chalk = require('chalk'); var url = process.argv[2]; if (!check.webUrl(url)) { console.error('Usage: iframeable <url>'); process.exit(-1); } var X_FRAME_OPTIONS = 'x-frame-options'; var MORE_INFO_URL = 'https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet'; request(url, function (error, response) { if (error) { console.error('Could not check', chalk.underline(url)); throw error; } var value = response.headers[X_FRAME_OPTIONS]; if (!check.unemptyString(value)) { console.error(chalk.red.bold.underline(url), chalk.red.bold('responds without header', X_FRAME_OPTIONS)); console.error('This means the website can be iframed into malicious website'); console.error('See more information about this attack at', chalk.underline(MORE_INFO_URL)); process.exit(-1); } if (/DENY/i.test(value)) { console.log(chalk.green.underline(url), chalk.green('denies being iframed, safe')); process.exit(0); } if (/SAMEORIGIN/i.test(value)) { console.log(chalk.green.underline(url), chalk.green('can only be iframed from same origin, safe')); process.exit(0); } if (/ALLOW-FROM/i.test(value)) { console.log(chalk.yellow.underline(url), chalk.yellow('allows iframing from some external websites. Might be unsafe.')); console.error('See more information about this attack at', chalk.underline(MORE_INFO_URL)); process.exit(0); } });