clickjacking prevention via X-Frame-Options and Content-Security-Policy headers

2021-10-06 16:44:36 +01:00
parent 726e8c611a
commit 381f412df9
3 changed files with 10 additions and 0 deletions
--- a/bin/netdisco-web-fg
+++ b/bin/netdisco-web-fg
@@ -31,6 +31,12 @@ BEGIN {

 set plack_middlewares => [
  ['Plack::Middleware::ReverseProxy'],
+  [ Headers => (
+      set => ['X-Frame-Options' => setting('HTTP-Header-X-Frame-Options')],
+  )],
+  [ Headers => (
+      set => ['Content-Security-Policy' => setting('HTTP-Header-Content-Security-Policy')],
+  )],
  [ Expires => (
      content_type => [qr{^application/javascript}, qr{^text/css}, qr{image}, qr{font}],
      expires => 'access plus 1 day',