CWE-1021 Improper Restriction of Rendered UI Layers

What this means

SiteShadow flagged a UI that can be embedded/overlaid in ways the site doesn't intend (commonly via framing/overlays), which can enable clickjacking or other UI manipulation.

Why it matters

UI layer manipulation can mislead users or enable clickjacking.

• Clickjacking: a malicious site frames your app and tricks users into clicking "invisible" buttons.
• Unintended actions: users might approve transfers, change settings, or authorize OAuth without realizing.
• Phishing inside your domain: attackers can make your real UI appear to do something else.

Safer examples

1) Block framing with CSP (recommended)

// Express example
app.use((req, res, next) => {
  res.setHeader("Content-Security-Policy", "frame-ancestors 'none'");
  next();
});

2) Add legacy X-Frame-Options

app.use((req, res, next) => {
  res.setHeader("X-Frame-Options", "DENY");
  next();
});

3) Scope exceptions narrowly

If you must allow embedding (e.g., in your own admin portal), use frame-ancestors 'self' https://trusted.example and keep the allowlist tight.

How SiteShadow detects it (high level)

• Detects missing/weak anti-framing protections (CSP frame-ancestors, X-Frame-Options) on app pages.
• Flags pages with high-risk actions (payments, settings, OAuth consent) as higher priority.

References

• CWE-1021: https://cwe.mitre.org/data/definitions/1021.html

---

← Back to Vulnerability Library