HIGH clickjackingstrapibearer tokens

Clickjacking in Strapi with Bearer Tokens

Scan for clickjacking in strapi

Clickjacking in Strapi with Bearer Tokens — how this specific combination creates or exposes the vulnerability

Clickjacking is a client-side vulnerability where an attacker tricks a user into interacting with a hidden UI element inside an invisible or disguised frame. In Strapi, if an authenticated admin or API consumer performs privileged actions while authenticated with a Bearer Token, a malicious site can embed the Strapi admin panel or an action endpoint inside an <iframe> and overlay invisible controls. Because the request includes a valid Bearer Token in the Authorization header, the browser automatically sends credentials, allowing the attacker to perform actions on behalf of the victim without their knowledge.

When Strapi admin pages or custom API routes are reachable while authenticated via Bearer Token (e.g., from a mobile app or a single-page application that stores the token in memory or localStorage), and those pages do not enforce frame-ancestor policies, clickjacking becomes feasible. Even though Bearer Tokens protect authentication in transit, they do not prevent the browser from including them in requests initiated by a malicious page. This is especially risky if Strapi’s admin UI is accessible from non-localhost origins without Content Security Policy (CSP) frame-ancestors directives, or if developer endpoints or GraphQL explorers are exposed and lack anti-clickjacking controls.

For example, consider a Strapi backend serving an admin interface at https://admin.example.com and an API endpoint at https://api.example.com/users/me that relies on a Bearer Token. An attacker can craft a page that loads https://admin.example.com/content-manager/explorer inside a transparent iframe and position a transparent button over a dangerous action such as publishing content or changing roles. When an admin with an active session visits the attacker’s page, the request to Strapi includes the Bearer Token automatically, making the unauthorized action appear legitimate to the server. Because Strapi’s security configuration does not inherently mitigate framing, the combination of an authenticated session (Bearer Token) and missing frame controls exposes the system to clickjacking.

OpenAPI/Swagger analysis can reveal endpoints that lack anti-clickjacking protections or are served with permissive CORS and missing CSP headers. middleBrick scans identify missing security headers such as Content-Security-Policy and X-Frame-Options during its 12 security checks, helping you detect exposed admin surfaces that could be targeted alongside Bearer Token–protected routes.

Bearer Tokens-Specific Remediation in Strapi — concrete code fixes

To mitigate clickjacking when using Bearer Tokens in Strapi, apply frame-protection headers and ensure that sensitive admin interfaces are not embeddable. Strapi allows header customization through its extension system or server middleware, depending on the deployment mode. Below are concrete examples for both approaches.

1. Configure CSP and X-Frame-Options via Strapi server middleware

In Strapi v4+, you can add custom server middleware to inject security headers for all responses. Create or update ./src/middlewares/security.js (in a custom template or plugin) to set Content-Security-Policy with a strict frame-ancestors directive and X-Frame-Options.

// ./src/middlewares/security.js
module.exports = (config, { env }) => {
  return {
    name: 'security-headers',
    register: async () => {
      // This will be applied by Strapi’s server layer
      config.server.settings.headers = [
        {
          key: 'Content-Security-Policy',
          value: "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; frame-ancestors 'none';"
        },
        {
          key: 'X-Frame-Options',
          value: 'DENY'
        }
      ];
    }
  };
};

The frame-ancestors 'none' in CSP, combined with X-Frame-Options: DENY, ensures that browsers will not render Strapi pages inside frames, effectively neutralizing clickjacking attempts regardless of whether the request uses a Bearer Token.

2. Protect admin routes selectively

If you want to allow embedding for specific trusted contexts (e.g., a partner portal), set frame-ancestors to those origins instead of 'none'. For admin-only pages, keep a strict policy and ensure that the admin route is not unintentionally exposed via public CORS settings. Example CSP allowing only a trusted domain:

Content-Security-Policy: default-src 'self'; frame-ancestors 'self' https://partner.example.com;

3. Ensure Bearer Token usage does not leak into insecure contexts

When consuming Strapi APIs from a frontend, store Bearer Tokens securely (e.g., httpOnly cookies or secure storage with appropriate mitigations) and avoid including them in URLs. Ensure that requests to sensitive endpoints include the Authorization header only over HTTPS. Validate origins on the server when possible, and use CORS to restrict origins that can interact with your API.

4. Verify using browser devtools and scans

After applying these headers, use browser developer tools to confirm the presence of Content-Security-Policy and X-Frame-Options on responses for admin and API routes. middleBrick can validate that these headers are present and that the CSP frame-ancestors directive is correctly blocking framing attempts.

Scan for clickjacking in strapi Free API security scan

Frequently Asked Questions

Can clickjacking still occur if Strapi APIs require Bearer Tokens?
Yes. Bearer Tokens protect authentication, but they do not prevent the browser from including those tokens in requests initiated by a malicious page. Without frame-protection headers like Content-Security-Policy frame-ancestors or X-Frame-Options, an attacker can embed the Strapi admin or API endpoints in an invisible frame and trigger actions using the victim’s active session.
Does middleBrick fix clickjacking or only detect it?
middleBrick detects and reports missing security headers and framing risks across 12 checks, including CSP and X-Frame-Options. It provides remediation guidance so you can apply secure configurations in Strapi, but it does not automatically patch or block requests.

Related Pages

Clickjacking in StrapiLearn how clickjacking attacks target Strapi admin interfaces and API endpoints, with specific detection methods and StrClickjacking with Bearer TokensLearn how clickjacking attacks exploit Bearer Token endpoints and discover specific detection methods and remediation teClickjacking in Strapi on Fly IoUnderstand clickjacking risks in Strapi behind Fly Io and implement CSP frame-ancestors and X-Frame-Options with concretClickjacking in Strapi on SupabaseUnderstand clickjacking risks when Strapi integrates with Supabase, and apply X-Frame-Options and CSP frame-ancestors toClickjacking in Strapi on RailwayUnderstand and remediate clickjacking in Strapi on Railway with header-level security configurations and actionable middHipaa: Clickjacking in StrapiExplore clickjacking risks in Strapi deployments under HIPAA, with specific header configurations and code examples to sGdpr: Clickjacking in StrapiExplore GDPR risks in clickjacking with Strapi-backed APIs. Learn concrete remediation via CSP frame-ancestors, CORS polIso 27001: Clickjacking in StrapiExplore clickjacking risks in Strapi under ISO 27001 and learn concrete header-level fixes using CSP frame-ancestors andCis: Clickjacking in StrapiCIS guidance on clickjacking with Strapi, including attack mechanics and Strapi-specific header configurations to prevenClickjacking in Strapi with FirestoreAnalyzing clickjacking risks when Strapi serves Firestore-backed interfaces, with header-level fixes and Firestore clienClickjacking in Strapi with DynamodbUnderstand clickjacking risks in Strapi with DynamoDB-backed content and apply CSP, X-Frame-Options, and secure SDK usagClickjacking in Strapi with CockroachdbAssess clickjacking risks in Strapi with Cockroachdb, implement CSP frame-ancestors and X-Frame-Options, and validate wi