Information Security with HelmetJS - Mitigate the Risk of Clickjacking with helmet.frameguard()

ochebarnnas12345 · July 31, 2022, 5:22pm

Tell us what’s happening:
Describe your issue in detail here.

it keeps saying helmet.frameguard() middleware should be mounted correctly and i did what was in the instruction,please what is wrong?
Your project link(s)

solution: boilerplate-infosec - Replit

Your browser information:

User Agent is: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36

Challenge: Information Security with HelmetJS - Mitigate the Risk of Clickjacking with helmet.frameguard()

Link to the challenge:

RandellDawson · July 31, 2022, 6:59pm

@lasjorg I notice the tests make a call to a /_api/app-info route on the submitted url and check for frameguard. This user’s app returns:

{"headers":{"x-frame-options":"DENY"},"appStack":["xFrameOptionsMiddleware","xFrameOptionsMiddleware","hidePoweredBy"]}

I pulled down the boilerplate and updated myApp.js accordingly and see the following which passes the tests:

{"headers":{"x-frame-options":"DENY"},"appStack":["hidePoweredBy","frameguard"]}

One thing I did different locally was to merge the changes of the outstanding PR on the boilerplate, so it could be a difference in the package-lock.json?

@ochebarnnas12345 As a test, delete your node_modules folder with rm -rf node_modules and delete package-lock.json. Then run npm install and run the app again before submitting your live project url.

NOTE: You do not need the extra app.use(helmet.frameguard()).

lasjorg · July 31, 2022, 9:44pm

Pretty sure it’s the caret in front of the version number ^3.21.3 in the package.json that is making it install version 3.23.3 which likely also updated the lock file. If you fork it even if you correct the version it will still install 3.23.3

@ochebarnnas12345 you can still follow @RandellDawson suggestion but you have to also correct the version in the package.json to not have a ^ in front of it.

smilesr · August 19, 2022, 10:42am

Thanks @RandellDawson ! I had the same problem as OP and your solution resolved it.

ndegwaduncan193 · September 11, 2022, 3:16pm

downgrading Helmet to 2.3.0 according to the following temporary solution provided here Information security with HelmetJS #lesson-2 - #4 by ganeshh123 by ganeshh123 seems to work as well