[VPAT-50] chore(security): add X-Frame-Options header to nginx configuration to prevent clickjacking attacks

[prateekshourya29]

Description

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• Feature (non-breaking change which adds functionality)
• Improvement (change that would cause existing functionality to not work as expected)
• Code refactoring
• Performance improvements
• Documentation update

Screenshots and Media (if applicable)

Test Scenarios

References

Summary by CodeRabbit

• Chores
  • Enhanced security by adding HTTP response headers across application servers to mitigate clickjacking, content-type sniffing, cross-site scripting, and to enforce strict transport security for all responses.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[makeplane]

Linked to Plane Work Item(s)

• [VPAT-50] Add X-Frame-Options header to prevent clickjacking

This comment was auto-generated by Plane

[coderabbitai]

📝 Walkthrough

Walkthrough

Added four security response headers to the nginx server blocks in apps/admin/nginx/nginx.conf and apps/web/nginx/nginx.conf: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Strict-Transport-Security: max-age=31536000; includeSubDomains, and X-XSS-Protection: 1; mode=block, each set with always.

Changes

Cohort / File(s)	Summary
Security header additions apps/admin/nginx/nginx.conf, apps/web/nginx/nginx.conf	Added the following add_header directives inside the server blocks (applied always): X-Frame-Options "DENY", X-Content-Type-Options "nosniff", Strict-Transport-Security "max-age=31536000; includeSubDomains", and X-XSS-Protection "1; mode=block". Changes affect response headers for all served requests.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇✨ I hop in code with headers bright,
Frames denied, no sneaky sight,
Content safe and types held tight,
HSTS whispers through the night,
A rabbit cheers — the site feels right! 🥕🛡️

��� Pre-merge checks | ✅ 1 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title mentions X-Frame-Options but the actual PR adds four security headers (X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, X-XSS-Protection); it captures only part of the changes.	Update title to reflect all four security headers being added, e.g., 'Add security headers to nginx configuration to prevent clickjacking and related attacks'.
Description check	⚠️ Warning	The PR description is empty with only template placeholders; no details about the changes, security rationale, testing, or references to the issue were provided.	Fill in the Description section with details about the four security headers added and their purposes. Mark the appropriate Type of Change checkbox, provide test scenarios, and link to issue VPAT-50.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sriramveeraghanta]

Look into this PR for adding more header options.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @apps/admin/nginx/nginx.conf:
- Around line 23-27: Remove the obsolete X-XSS-Protection header and either
remove or conditionally apply Strict-Transport-Security depending on whether TLS
is terminated here (if HTTPS is terminated upstream, move/ensure HSTS is set at
the TLS terminator; otherwise remove the Strict-Transport-Security line), keep
X-Frame-Options as a fallback, and add a Content-Security-Policy header with at
minimum "default-src 'self'; frame-ancestors 'none';" (adjust additional CSP
directives as needed for your app).

In @apps/web/nginx/nginx.conf:
- Around line 23-27: Remove the ineffective/deprecated headers: delete the
add_header directive for X-XSS-Protection and remove or gate the add_header
Strict-Transport-Security directive (the Strict-Transport-Security header must
only be set when HTTPS is terminated before this server; if HTTPS is terminated
elsewhere, ensure that logic only sets add_header Strict-Transport-Security when
requests are secure). Instead add a Content-Security-Policy header via
add_header Content-Security-Policy with a restrictive policy (for example:
default-src 'self'; frame-ancestors 'none';) to replace
X-Frame-Options/X-XSS-Protection functionality in modern browsers and improve
protection.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6722648 and 64e9577.

📒 Files selected for processing (2)

• apps/admin/nginx/nginx.conf
• apps/web/nginx/nginx.conf

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: check:types
• GitHub Check: check:lint
• GitHub Check: Analyze (javascript)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -type f -name "nginx.conf" | head -20

Repository: makeplane/plane

Length of output: 146

---

🏁 Script executed:

# Check the admin nginx config
if [ -f "apps/admin/nginx/nginx.conf" ]; then
  cat -n apps/admin/nginx/nginx.conf
fi

Repository: makeplane/plane

Length of output: 1119

---

🏁 Script executed:

# Check the web nginx config for comparison
if [ -f "apps/web/nginx/nginx.conf" ]; then
  cat -n apps/web/nginx/nginx.conf
fi

Repository: makeplane/plane

Length of output: 1118

---

🌐 Web query:

HSTS Strict-Transport-Security HTTP port 3000 browser behavior

💡 Result:

Short answer

• HSTS policies are stored per host name (not per port) and apply to all ports. If a browser has an HSTS entry for example.com and you try to open http://example.com:3000/, the browser will change the scheme to https but keep the explicit port 3000 (i.e. it will try https://example.com:3000/). [1][2]

Key points

• Browser only accepts Strict-Transport-Security over an HTTPS response. HSTS is added to the browser’s HSTS list only after receiving the header on TLS. [1][2]
• When upgrading an http URL: if the URL contains an explicit port other than 80, that port is preserved; if it contains port 80 it is converted to 443. If no port is present the UA does not add one. [2]
• If HTTPS-to-port-3000 fails (e.g., no TLS server or certificate error) and the host is known HSTS, the UA must terminate the connection and not allow a bypass. [2]

Examples

• http://example.com:3000/ → browser rewrites to https://example.com:3000/ (and then attempts TLS). [1][2]
• http://example.com/ (no explicit port) → rewritten to https://example.com/ (port handling per spec: implicit 80→443). [2]

Sources
[1] MDN: Strict-Transport-Security header.
[2] RFC 6797 (HTTP Strict Transport Security).

---

🌐 Web query:

X-XSS-Protection deprecated obsolete 2024

💡 Result:

Short answer: Yes — X-XSS-Protection is functionally deprecated/obsolete in modern browsers and is no longer recommended (use Content-Security-Policy instead). Set it to 0 or stop sending it. [1][2][3][4]

Key points and sources:

• MDN: X-XSS-Protection is non‑standard, Chrome removed its XSS Auditor, Firefox never implemented it, Edge retired its filter — use CSP instead. [1]
• Chromium / Chrome 78: the XSS Auditor was removed (Chrome no longer honors X-XSS-Protection). [2]
• OWASP Secure Headers / OWASP guidance: header is deprecated; recommendation is to disable it (X-XSS-Protection: 0) and rely on CSP. [3]
• Mozilla infosec guidance shows the header marked obsolete in their 2024 updates and recommends CSP. [4]

If you want, I can show the exact header config snippets (NGINX/Apache/Express) to explicitly disable it and add a CSP example.

---

🌐 Web query:

Content-Security-Policy frame-ancestors modern browser support

💡 Result:

Short summary — modern support for Content-Security-Policy's frame-ancestors

• What it does: blocks/allows which parent origins may embed a page (applies to frame, iframe, object, embed). Must be sent in the HTTP Content-Security-Policy header (not meta). [1][2]
• Broad modern support: supported in current Chrome, Firefox, Safari, Opera and Chromium-based Edge (desktop and mobile). Use frame-ancestors (CSP Level 2+) instead of the deprecated X-Frame-Options when those browsers are targeted. [1][3]
• Not supported in Internet Explorer (IE11 and older). If you need IE compatibility, include a fallback X-Frame-Options header (DENY or SAMEORIGIN) alongside CSP. [2][3]
• Practical note: nested frames are checked against the policy of the framed resource (all ancestors must match); use both CSP and X-Frame-Options when you must cover older clients. [1][2]

Sources: MDN (frame-ancestors) [1]; Mozilla web-security guidance (recommend X-Frame-Options fallback) [2]; content-security-policy.com compatibility notes [3].

---

Verify HSTS usage and remove deprecated X-XSS-Protection header.

Good additions for X-Frame-Options and X-Content-Type-Options. However, there are concerns with the other headers:

1. HSTS on port 3000 (line 26): The Strict-Transport-Security header only functions over HTTPS connections. Since this server listens on HTTP port 3000, browsers will ignore this header entirely. If a reverse proxy handles HTTPS termination in front, verify that HSTS is appropriate for your deployment architecture. Otherwise, remove this header.

2. X-XSS-Protection is deprecated (line 27): This header is obsolete and no longer honored by modern browsers (Chrome removed the XSS Auditor; Firefox and Edge don't implement it). Remove this header and rely on Content-Security-Policy instead.

3. Consider adding Content-Security-Policy: Add a CSP header with appropriate directives including frame-ancestors 'none' (which supersedes X-Frame-Options in modern browsers) and default-src 'self'. Keep X-Frame-Options as a fallback for older browsers.

🔒 Proposed security header improvements

 # Security headers
 add_header X-Frame-Options "DENY" always;
 add_header X-Content-Type-Options "nosniff" always;
-add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-add_header X-XSS-Protection "1; mode=block" always;
+# Remove HSTS if serving over HTTP, or verify reverse proxy handles HTTPS
+add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none';" always;

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Security headers
	add_header X-Frame-Options "DENY" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	add_header X-XSS-Protection "1; mode=block" always;
	# Security headers
	add_header X-Frame-Options "DENY" always;
	add_header X-Content-Type-Options "nosniff" always;
	# Remove HSTS if serving over HTTP, or verify reverse proxy handles HTTPS
	add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none';" always;

🤖 Prompt for AI Agents

In @apps/admin/nginx/nginx.conf around lines 23 - 27, Remove the obsolete
X-XSS-Protection header and either remove or conditionally apply
Strict-Transport-Security depending on whether TLS is terminated here (if HTTPS
is terminated upstream, move/ensure HSTS is set at the TLS terminator; otherwise
remove the Strict-Transport-Security line), keep X-Frame-Options as a fallback,
and add a Content-Security-Policy header with at minimum "default-src 'self';
frame-ancestors 'none';" (adjust additional CSP directives as needed for your
app).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's look at the nginx.conf file to understand the actual configuration
cat -n apps/web/nginx/nginx.conf

Repository: makeplane/plane

Length of output: 1118

---

🏁 Script executed:

# Search for HTTPS, SSL, and port configurations
rg -n "listen|ssl|https|443" apps/web/nginx/nginx.conf

Repository: makeplane/plane

Length of output: 78

---

🏁 Script executed:

# Search for reverse proxy or upstream configurations
rg -n "proxy_pass|upstream" apps/web/nginx/

Repository: makeplane/plane

Length of output: 41

---

🌐 Web query:

X-XSS-Protection header deprecated modern browsers security

💡 Result:

Short answer: X-XSS-Protection is deprecated — modern browsers removed or stopped honoring it because the built‑in XSS auditors were inconsistent, bypassable and could create side‑channel/XS‑Leak issues. Use a strong Content‑Security‑Policy instead; if you must keep the header for very old browsers, explicitly disable the broken auditor with "X-XSS-Protection: 0". (owasp.org)

Citations:

• 1: https://owasp.org/index.php/OWASP_Secure_Headers_Project?utm_source=openai

---

Remove deprecated X-XSS-Protection header and reconsider HSTS on HTTP.

Good additions for X-Frame-Options and X-Content-Type-Options. However:

1. HSTS ineffective on HTTP (line 26): The Strict-Transport-Security header requires HTTPS to function. This server listens on port 3000 over HTTP with no reverse proxy handling HTTPS in the configuration. Browsers ignore HSTS headers on HTTP connections, making this header ineffective. Either remove it or verify that HTTPS is terminated elsewhere before requests reach this server.

2. Remove X-XSS-Protection (line 27): This header is deprecated and ignored by modern browsers. It can introduce vulnerabilities in older browsers. Remove it and use Content-Security-Policy instead.

3. Consider adding Content-Security-Policy: Add a CSP header (e.g., "default-src 'self'; frame-ancestors 'none';") for comprehensive security coverage, which supersedes X-Frame-Options in modern browsers.

🤖 Prompt for AI Agents

In @apps/web/nginx/nginx.conf around lines 23 - 27, Remove the
ineffective/deprecated headers: delete the add_header directive for
X-XSS-Protection and remove or gate the add_header Strict-Transport-Security
directive (the Strict-Transport-Security header must only be set when HTTPS is
terminated before this server; if HTTPS is terminated elsewhere, ensure that
logic only sets add_header Strict-Transport-Security when requests are secure).
Instead add a Content-Security-Policy header via add_header
Content-Security-Policy with a restrictive policy (for example: default-src
'self'; frame-ancestors 'none';) to replace X-Frame-Options/X-XSS-Protection
functionality in modern browsers and improve protection.