Skip to content

Commenting out Content-Security-Policy_headers to avoid over-riding c…#946

Closed
atharv2-git wants to merge 1 commit intodoubtfire-lms:9.xfrom
atharv2-git:fix/clickjacking-vulnerability-fix
Closed

Commenting out Content-Security-Policy_headers to avoid over-riding c…#946
atharv2-git wants to merge 1 commit intodoubtfire-lms:9.xfrom
atharv2-git:fix/clickjacking-vulnerability-fix

Conversation

@atharv2-git
Copy link

@atharv2-git atharv2-git commented Jun 20, 2025
edited
Loading

Base Branch: 9.x

Note: This PR is made to doubtfire-lms/doubtfire-web as an upstream contribution after peer review, AppAttack security verification, and mentor approval.

Description

This PR updates the internal nginx.conf in doubtfire-web to ensure that security headers (like X-Frame-Options, Content-Security-Policy, etc.) are not redundantly set or overridden when they are already enforced by the outer proxy-nginx.conf in the doubtfire-deploy repository.

This change was originally proposed and peer-reviewed in the ThothTech PR with relevant discussions and final approval from @aNebula. This upstream PR isolates the nginx.conf change only, without any unrelated deletions (e.g., package-lock.json), as per mentor's instructions.

What was changed

  • Commented out internal security headers in doubtfire-web/nginx.conf that duplicate those set at the reverse proxy level.
  • Ensures consistency and centralized management of security headers from the proxy-nginx.conf layer in the deployment repo.

Fixes: Header conflicts and duplication issues between inner and outer NGINX layers.

Reference PRs

Testing Summary

  • Verified that headers from proxy-nginx.conf are correctly reflected in browser responses without being overridden by internal nginx.conf.
  • Confirmed that there is no duplication or conflict in the applied security headers (e.g., X-Frame-Options, Content-Security-Policy) as verified by peer reviewers and senior reviewer.
  • Validated that the clickjacking vulnerability is now patched and protection mechanisms are working as expected.
  • Ensured that static files are still served correctly via the inner NGINX layer.
  • Addressed and resolved the package-lock.json conflict to prevent issues in cross-platform container builds, especially for Windows-based development.

Checklist

  • Only the intended nginx.conf change included
  • Forked cleanly from doubtfire-lms/9.x branch
  • Linked deployment PR and documentation
  • All peer and mentor reviews completed

@atharv2-git
Commenting out Content-Security-Policy_headers to avoid over-riding c…
7d08228 
…onflicts with the security headers mentioned in proxy-nginx.conf
@atharv2-git atharv2-git mentioned this pull request Jun 20, 2025
Closed
4 tasks
@atharv02-git atharv02-git mentioned this pull request Jun 20, 2025
Open
10 tasks
@b0ink b0ink closed this Nov 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@atharv2-git @b0ink