AWS S3 website can't serve security headers, may allow clickjacking
L
Legal Robot
Submitted None
Team Summary
Official summary from Legal Robot
Security researcher discovered that our AWS S3 website was not serving some basic security headers like X-Frame-Options. We resolved the issue by putting nginx in front of our AWS S3 website and adding header directives. Fixed security headers can be verified here: https://schd.io/zt
Actions:
Reported by
h1000h1
Report Details
Additional information and metadata
State
Closed
Substate
Resolved
Submitted
Weakness
UI Redressing (Clickjacking)