Summary

During our internal security review of the Argo CD UI, we found that the Swagger UI does not include the X-Frame-Options HTTP header. This could allow the Swagger interface to be embedded in an external iframe, exposing it to clickjacking attacks.

Motivation

Clickjacking is a known security risk where an attacker tricks users into clicking something different from what the user perceives, potentially leading to unintended actions being performed on behalf of the user.

Since Swagger UI allows direct interaction with Argo CD's API, it's especially important to prevent this interface from being embedded in untrusted origins.

Many security standards and compliance requirements (e.g. CSP best practices, OWASP) recommend or require setting the X-Frame-Options header (or modern equivalents like Content-Security-Policy: frame-ancestors) to prevent UI embedding.

Adding this header improves the security posture of the Swagger UI endpoint and aligns with industry best practices.

Proposal

Ensure that Argo CD’s Swagger UI and related endpoints send the X-Frame-Options header with the value DENY to prevent it from being embedded in any iframe. Optionally, for modern browsers, a Content-Security-Policy header with a frame-ancestors 'none' directive could also be included to provide more robust protection.