SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-1021 Improper Restriction of Rendered UI Layers

Coverage: 4 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 4 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged a UI that can be embedded/overlaid in ways the site doesn't intend (commonly via framing/overlays), which can enable clickjacking or other UI manipulation.

Why it matters

UI layer manipulation can mislead users or enable clickjacking.

Safer examples

1) Block framing with CSP (recommended)

// Express example
app.use((req, res, next) => {
  res.setHeader("Content-Security-Policy", "frame-ancestors 'none'");
  next();
});

2) Add legacy X-Frame-Options

app.use((req, res, next) => {
  res.setHeader("X-Frame-Options", "DENY");
  next();
});

3) Scope exceptions narrowly

If you must allow embedding (e.g., in your own admin portal), use frame-ancestors 'self' https://trusted.example and keep the allowlist tight.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.