Do not derive anti-framing headers from request input | Critiq Docs

#Metadata

Rule ID: ts.security.ui-redress
Severity: high
Confidence: 0.88
Languages: javascript, typescript
Presets: recommended, security, strict
Stability: stable
Applies to: block
Tags: clickjacking, headers, rules-catalog, security

#Why it matters

Request-controlled anti-framing headers weaken protections against clickjacking and UI redress attacks.

#Remediation

Set framing and CSP headers from fixed server policy instead of request data.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/typescript/ts.security.ui-redress.rule.yaml.

Back to registry Open rule in repository