Clickjacking in Actix with Mongodb

Clickjacking is a client-side UI redress attack where an invisible or misleading layer tricks a user into interacting with a different page than intended. When an Actix web application embeds third-party content or exposes administrative pages without anti-clickjacking defenses, and also uses a Mongodb backend to serve or store sensitive data, the combination can expose sensitive operations to unauthorized interaction.

In an Actix application using Mongodb, routes that render administrative panels, settings pages, or perform state-changing POSTs (e.g., updating user roles or modifying database records) may be embedded inside iframes on attacker-controlled sites. If these routes do not set appropriate frame-ancestors policies or do not validate the request origin, an attacker can overlay invisible controls or misleading UI on top of the embedded page. Because Mongodb often stores user permissions or session-sensitive flags used by Actix to make authorization decisions, an exploited clickjacking vector can lead to unintended data reads or writes, bypassing intended UI safeguards.

The risk is compounded when Actix endpoints rely on cookie-based session tokens without additional CSRF protections and are served with permissive X-Frame-Options or Content-Security-Policy frame-ancestors directives. An attacker can craft a page that loads the target Actix route in a hidden iframe, overlaying buttons or links that invoke Mongodb mutations (e.g., changing a user’s role from viewer to admin). Since the browser automatically sends authentication cookies, the request is processed by Actix, which may rely on application-level logic that does not re-validate intent, ultimately causing unauthorized state changes in the Mongodb-backed data store.

middleBrick can detect missing anti-clickjacking protections among its 12 security checks. For example, a scan of an Actix endpoint backed by Mongodb may surface findings related to missing Content-Security-Policy frame-ancestors rules or overly permissive X-Frame-Options headers, helping teams understand how UI embedding issues can interact with backend data stores to amplify risk.

Remediation requires a defense-in-depth approach: secure HTTP headers to prevent framing, strict origin validation in Actix middleware, and safe handling of Mongodb operations to ensure that even if a UI layer is abused, backend authorization remains intact.

1. Set strict Content-Security-Policy frame-ancestors

Configure Actix middleware to emit a Content-Security-Policy header with frame-ancestors that explicitly deny all but trusted sources. This prevents the browser from rendering the page in an attacker-controlled iframe regardless of cookie state.

use actix_web::{web, App, HttpServer, HttpResponse, middleware::Logger};
use actix_web::http::header::{HeaderValue, CONTENT_SECURITY_POLICY};

async fn index() -> HttpResponse {
    let mut resp = HttpResponse::Ok();
    resp.headers_mut().insert(
        CONTENT_SECURITY_POLICY,
        HeaderValue::from_static("default-src 'self'; frame-ancestors 'none'"),
    );
    resp.body("Hello, secure world")
}

#[actix_web::main]
async fn main() -> std::io::Result<()> {
    HttpServer::new(|| {
        App::new()
            .wrap(Logger::default())
            .route("/", web::get().to(index))
    })
    .bind("127.0.0.1:8080")?
    .run()
    .await
}

2. Use per-route authorization and avoid trusting origin headers alone

Do not rely on the Referer or Origin headers for security decisions. Instead, enforce authentication and per-action authorization on every handler that interacts with Mongodb. Use a robust session/cookie strategy with SameSite and Secure flags, and validate permissions server-side.

use actix_web::{web, HttpRequest, HttpResponse};
use mongodb::{Client, Collection};
use serde::{Deserialize, Serialize};

#[derive(Deserialize, Serialize)]
struct User {
    id: String,
    role: String,
}

async fn update_role(
    req: HttpRequest,
    body: web::Json,
    db_client: web::Data,
) -> HttpResponse {
    let user_id = req.headers().get("X-User-Id").and_then(|v| v.to_str().ok());
    let user_id = match user_id {
        Some(id) => id,
        None => return HttpResponse::Unauthorized().body("missing user id"),
    };

    // Fetch current user from Mongodb to verify admin status
    let coll: Collection = db_client.database("appdb").collection("users");
    let filter = doc! { "id": user_id };
    let current_user = match coll.find_one(filter, None).await {
        Ok(Some(u)) => u,
        _ => return HttpResponse::Forbidden().body("insufficient permissions"),
    };

    if current_user.role != "admin" {
        return HttpResponse::Forbidden().body("insufficient permissions");
    }

    // Proceed with trusted update
    let update = doc! { "$set": { "role": body.new_role.clone() } };
    let _ = coll.update_one(doc! { "id": &body.target_id }, update).await;
    HttpResponse::Ok().body("role updated")
}

3. Combine CSP with X-Frame-Options for legacy browser coverage

While CSP frame-ancestors is the modern mechanism, setting X-Frame-Options provides defense-in-depth for older browsers. Ensure both headers are consistent and do not conflict.

async fn with_frame_guard(req: HttpRequest, body: web::Json) -> HttpResponse {
    let mut resp = HttpResponse::Ok().json(body.into_inner());
    resp.headers_mut().insert("X-Frame-Options", HeaderValue::from_static("DENY"));
    resp.headers_mut().insert(
        "Content-Security-Policy",
        HeaderValue::from_static("frame-ancestors 'none'"),
    );
    resp
}

4. Validate and sanitize all inputs before Mongodb operations

Use strongly typed structures and avoid concatenating raw strings for queries to prevent injection and ensure that authorization checks remain meaningful regardless of how the request was initiated.

use mongodb::bson::doc;

async fn safe_query_by_id(coll: &Collection, id: &str) -> Option {
    let filter = doc! { "id": id };
    coll.find_one(filter, None).await.ok()?
}