[TASK] Document Clickjacking attack scenario and defense

This patch adds two sections to the Security Guide which explain the
Clickjacking attack scenario and the defense against it in the FE by
sending X-Frame-Options in the HTTP header.
We also mention that this header is sent in the backend by default.

One section in chapter "Guidelines for system administrators" (web
server configuration example) and another section in chapter "Guidelines
for integrators".

Resolves: #57144
Related: #54201
Reviewed-by: Helmut Hummel

Author: Michael Schams

Documentation/GuidelinesAdministrators/FurtherActions/Index.rst

@@ -11,6 +11,9 @@
 Further actions
 ^^^^^^^^^^^^^^^
 
+Hosting environment
+"""""""""""""""""""
+
 A system administrator is usually responsible for the entirety of an
 IT infrastructure. This includes several services (e.g. web server,
 mail server, database server, SSH, FTP, DNS, etc.) on one or on
@@ -25,6 +28,9 @@ database server, DNS server, IMAP/POP3 server, etc.). In short words:
 keep your hosting environment as slim as possible for performance and
 security purposes.
 
+Security-related PHP settings
+"""""""""""""""""""""""""""""
+
 Due to the fact that TYPO3 is a PHP application, secure PHP settings
 are also important, of course. The myth, that the well-known "Safe
 Mode" gives you the full-protection should be busted today. Depending
@@ -43,14 +49,51 @@ front of the TYPO3 server) may have an impact on the retrieval of the
 TYPO3 extension list, which allows you to check if extension updates
 are available!
 
+Events in log files
+"""""""""""""""""""
+
 Login attempts to the TYPO3 backend, which are unsuccessful, result in
 a server response to the client with HTTP code 401 ("Unauthorized").
 Due to the fact that this incident is logged in the web server's
 error log file, it can be handled by external tools, such as
 `fail2ban <http://www.fail2ban.org>`_.
 
+
+.. _administrators-furtheractions-clickjacking:
+
+Defending against Clickjacking
+""""""""""""""""""""""""""""""
+
+Clickjacking, also knows as *user interface (UI) redress attack* or
+*UI redressing*, is an attack scenario where an attacker tricks a web
+user into clicking on a button or following a link different from what
+the user believes he/she is clicking on. This attack can be typically
+achieved by a combination of stylesheets and iframes, where multiple
+transparent or opaque layers manipulate the visual appearance of a HTML
+page.
+
+To protect the backend of TYPO3 CMS against this attack vector, a HTTP
+header *X-Frame-Options* is sent, which prevents embedding backend pages
+in an iframe on domains different than the one used to access the
+backend. The X-Frame-Options header has been officially standardized as
+`RFC 7034 <http://tools.ietf.org/html/rfc7034>`_.
+
+System administrators should consider enabling this feature at the
+frontend of the TYPO3 website, too. A configuration of the Apache
+web server would typically look like the following::
+
+   <IfModule mod_headers.c>
+     Header always append X-Frame-Options SAMEORIGIN
+   </IfModule>
+
+The option *SAMEORIGIN* means, that the page can only be displayed in
+a frame on the same origin as the page itself. Other options are *DENY*
+(page cannot be displayed in a frame, regardless of the site attempting
+to do so) and *ALLOW-FROM [uri]* (page can only be displayed in a frame
+on the specified origin).
+
+|
 Please understand that detailed descriptions of further actions on a
 server-level and specific PHP security settings are out of scope of
 this document. The TYPO3 Security Guide focuses on security aspects of
 TYPO3.
-

Documentation/GuidelinesIntegrators/Typoscript/Index.rst

@@ -139,3 +139,18 @@ system or to place malicious code (e.g. XSS) in the output of the
 pages generated by the CMS. This attack scenario even does not require
 access to the TYPO3 backend.
 
+Clickjacking
+""""""""""""
+
+Clickjacking is an attack scenario where an attacker tricks a web
+user into clicking on a button or following a link different from what
+the user believes he/she is clicking on. Please see
+:ref:`administrators-furtheractions-clickjacking` for further details.
+It may be beneficial to include a HTTP header *X-Frame-Options* on
+frontend pages to protect the TYPO3 website against this attack vector.
+Please consult with your system administrator about pros and cons of
+this configuration.
+
+The following TypoScript adds the appropriate line to the HTTP header::
+
+   config.additionalHeaders = X-Frame-Options: SAMEORIGIN