AdamXweb I have not seen that particular email.
Flarum does not add an X-Frame
header to the forum, but it's true that it's a good practice to set that header. It's usually done at the web server level, for example using Apache's Header set
instruction from the mod_headers https://github.com/phanan/htaccess#prevent-framing-the-site . For nginx, the line add_header X-Frame-Options "SAMEORIGIN";
can be added to the server
block.
Some managed hostings like Laravel Forge have that header as part of their default configuration. I believe proxies like Cloudflare also have this as an easy option to enable.
It's worth noting that there shouldn't be any concern with a basic Flarum installation running without that header because our default cookie SameSite
policy prevents the Flarum session from being shared inside of a cross origin iframe. So the third-party website could theoretically force a user to unwillingly create an account or any action that could be performed by a guest in a community extension, but couldn't get the user to perform an action via their logged in Flarum account.
Without the ability to exploit the logged in session, I think most of the attacks possible would be purely spam or denial of service related. For example if you have a contact form that can be submitted by guests, clickjacking could be used to force unsuspecting users who don't even know your website to submit the form in large numbers, as part as a sort of botnet. But unless you have an extension that lets guests send emails to arbitrary addresses without restrictions, that won't be very interesting for any attacker. If they want to bring down your website, they'll use a classic DDOS attack anyway.
I'm not sure what they mean by keystroke hijacking. Clickjacking is where the victim is on an attacker-controlled website and unknowingly interacts with the targeted website in an iframe. If the attacker is trying to steal credentials from the same context, they don't need clickjacking, they can just perform a phishing attack via a fake login form. I don't see where the iframe comes into play in credentials hijacking. The way the "impact" paragraph is phrased also doesn't make much sense to me.
So in conclusion: Unless you have a very specific community extension that adds a guest-accessible feature that could create spam, I don't think the absence of the header poses any security risk at all. But I would still recommend adding the header, particularly if you are not embedding your forum yourself.
EDIT to address the origin of the email: It's quite possible this email is part of an automated campaign, since the absence of the header and your email could be found by a bot, and the email doesn't specify a particular form or button that could be vulnerable on the website. I assume the URL you obfuscated is just the homepage and not a particular page added by an extension. They are probably sending this email to many websites hoping to get something in return.