Clickjacking in Strapi with Cockroachdb
Clickjacking in Strapi with Cockroachdb — how this specific combination creates or exposes the vulnerability
Clickjacking is a client-side UI redressing attack where an invisible or misleading interface layer tricks a user into performing unintended actions. In a Strapi application backed by Cockroachdb, the risk arises when admin or content-entry pages are embedded inside an attacker-controlled frame without proper framing controls. Because Strapi admin interfaces often manage sensitive content and role-based permissions, loading them in an iframe on a malicious site could allow an attacker to capture admin interactions or induce unwanted content updates.
With Cockroachdb as the underlying data store, the exposure is less about the database protocol and more about how Strapi’s runtime serves admin pages and API endpoints that may be inadvertently embedded. Cockroachdb’s strong consistency and distributed nature do not prevent clickjacking; they simply mean that any data read or written as a result of a hijacked admin action will be consistent across nodes. If Strapi’s Content Security Policy (CSP) does not restrict frame ancestors, an attacker can load /admin or API-driven forms in an invisible iframe and overlay crafted UI elements to manipulate clicks.
Consider a scenario where an authenticated admin user visits a compromised site while logged into Strapi. If the response headers lack X-Frame-Options or Content-Security-Policy: frame-ancestors, the admin panel can be embedded. An attacker might overlay buttons or forms that invoke Strapi’s REST or GraphQL endpoints backed by Cockroachdb, performing actions such as publishing content, modifying user roles, or creating API keys. Because Strapi’s unauthenticated attack surface can include certain public endpoints, an LLM/AI Security probe from middleBrick might also check whether admin routes are exposed in ways that facilitate embedding, alongside testing for header misconfigurations.
In this stack, the risk is not in Cockroachdb itself but in how Strapi delivers and frames content and APIs to the browser. Without appropriate CSP frame-ancestor rules or X-Frame-Options, any page or endpoint that renders an admin UI or sensitive form becomes a vector. middleBrick’s checks for Security Misconfiguration and Input Validation would flag missing frame-ancestors directives and test whether critical endpoints can be embedded, regardless of whether the persistence layer is Cockroachdb, MySQL, or another store.
Cockroachdb-Specific Remediation in Strapi — concrete code fixes
Remediation centers on HTTP headers and Strapi’s security policies, independent of the database. However, because Cockroachdb is the backend, ensure that environment variables and connection parameters do not leak into client-side responses. The following steps harden Strapi to prevent clickjacking while working naturally with Cockroachdb.
- Set Content-Security-Policy frame-ancestors: In Strapi’s
./config/middlewares.js, add a global CSP header for admin and API responses.
// ./config/middlewares.js
module.exports = {
settings: {
middlewares: [
{
name: 'strapi::security',
config: {
contentSecurityPolicy: {
useDefaults: true,
directives: {
"frame-ancestors": ["'self'"],
// Optionally allow specific trusted dashboards:
// "frame-ancestors": ["'self'" "https://monitor.example.com"]
},
},
},
},
'strapi::errors',
'strapi::cors',
'strapi::poweredBy',
'strapi::logger',
'strapi::query',
'strapi::body',
'strapi::session',
'strapi::favicon',
'strapi::public',
],
},
};
- Set X-Frame-Options for legacy support: In the same configuration, ensure headers are applied to responses for older browsers that rely on
X-Frame-Options.
// Example within a custom middleware or security plugin
ctx.response.set('X-Frame-Options', 'DENY');- Secure Cockroachdb connection and avoid leaking credentials: In your Strapi database config, ensure sensitive parameters are injected via environment variables and not echoed in error messages that could be surfaced to untrusted origins.
# ./config/database.js
module.exports = ({
env: () => ({
defaultConnection: 'default',
connections: {
default: {
connector: 'cockroachdb',
settings: {
host: process.env.COCKROACHDB_HOST || 'localhost',
port: process.env.COCKROACHDB_PORT || 26257,
database: process.env.COCKROACHDB_DATABASE || 'strapi',
schema: process.env.COCKROACHDB_SCHEMA || 'public',
ssl: {
rejectUnauthorized: process.env.COCKROACHDB_SSL_REJECT_UNAUTHORIZED === 'true',
},
username: process.env.COCKROACHDB_USERNAME || 'admin',
password: process.env.COCKROACHDB_PASSWORD || 'strong-password',
},
options: {
dialectOptions: {
application_name: 'strapi-app',
},
},
},
},
}),
});- Validate and sanitize inputs to prevent stored XSS that could complement clickjacking: Use Strapi’s built-in validation and, if writing custom controllers that run SQL-like queries via an ORM or raw client, ensure placeholders are used.
// Example in a custom controller action
module.exports = {
async updateSettings(ctx) {
const { settingKey, settingValue } = ctx.request.body;
// Validate input types and length to avoid injection or malicious payloads
if (typeof settingKey !== 'string' || settingKey.length > 256) {
return ctx.badRequest('Invalid settingKey');
}
// Use parameterized approaches where possible; with Cockroachdb via an ORM,
// Strapi typically handles this, but raw queries should use placeholders.
await strapi.db.query('app_settings').update({
where: { key: settingKey },
data: { value: settingValue },
});
return ctx.ok('Settings updated');
},
};These changes ensure that even when Strapi interacts with Cockroachdb, clickjacking vectors are addressed at the HTTP layer. middleBrick’s scans can verify that frame-ancestors and X-Frame-Options are present and test public endpoints for unintended embeddability.