clickjacking prevention via X-Frame-Options and Content-Security-Policy headers

Build.PL

@@ -71,6 +71,7 @@ Module::Build->new(
     'Plack::Handler::Twiggy' => '0',
     'Plack::Middleware::Debug' => '0',
     'Plack::Middleware::Expires' => '0.03',
+    'Plack::Middleware::Headers' => '0',
     'Plack::Middleware::ReverseProxy' => '0.15',
     'Pod::Usage' => 0,
     'Regexp::Common' => 2017060201,

bin/netdisco-web-fg

@@ -31,6 +31,12 @@ BEGIN {
 
 set plack_middlewares => [
   ['Plack::Middleware::ReverseProxy'],
+  [ Headers => (
+      set => ['X-Frame-Options' => setting('HTTP-Header-X-Frame-Options')],
+  )],
+  [ Headers => (
+      set => ['Content-Security-Policy' => setting('HTTP-Header-Content-Security-Policy')],
+  )],
   [ Expires => (
       content_type => [qr{^application/javascript}, qr{^text/css}, qr{image}, qr{font}],
       expires => 'access plus 1 day',

share/config.yml

@@ -533,3 +533,6 @@ template: 'netdisco_template_toolkit'
 route_cache: true
 appname: 'Netdisco'
 behind_proxy: false
+HTTP-Header-X-Frame-Options: 'DENY'
+HTTP-Header-Content-Security-Policy: 'none'
+