Information Security with HelmetJS - Mitigate the Risk of Clickjacking with helmet.frameguard()

Tell us what’s happening:
Describe your issue in detail here.

it keeps saying helmet.frameguard() middleware should be mounted correctly and i did what was in the instruction,please what is wrong?
Your project link(s)

solution: boilerplate-infosec - Replit

Your browser information:

User Agent is: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36

Challenge: Information Security with HelmetJS - Mitigate the Risk of Clickjacking with helmet.frameguard()

Link to the challenge:

@lasjorg I notice the tests make a call to a /_api/app-info route on the submitted url and check for frameguard. This user’s app returns:

{"headers":{"x-frame-options":"DENY"},"appStack":["xFrameOptionsMiddleware","xFrameOptionsMiddleware","hidePoweredBy"]}

I pulled down the boilerplate and updated myApp.js accordingly and see the following which passes the tests:

{"headers":{"x-frame-options":"DENY"},"appStack":["hidePoweredBy","frameguard"]}

One thing I did different locally was to merge the changes of the outstanding PR on the boilerplate, so it could be a difference in the package-lock.json?

@ochebarnnas12345 As a test, delete your node_modules folder with rm -rf node_modules and delete package-lock.json. Then run npm install and run the app again before submitting your live project url.

NOTE: You do not need the extra app.use(helmet.frameguard()).

Pretty sure it’s the caret in front of the version number ^3.21.3 in the package.json that is making it install version 3.23.3 which likely also updated the lock file. If you fork it even if you correct the version it will still install 3.23.3

@ochebarnnas12345 you can still follow @RandellDawson suggestion but you have to also correct the version in the package.json to not have a ^ in front of it.