From 281e53a8871a71dafe36a86b2dad64baa812fb3e Mon Sep 17 00:00:00 2001
From: Tankred Hase <tankred@whiteout.io>
Date: Thu, 23 Apr 2015 17:44:30 +0200
Subject: [PATCH] [WO-03-013] Set stricter X-Frame-Options HTTP headers

---
 server.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/server.js b/server.js
index def7288..8600dae 100644
--- a/server.js
+++ b/server.js
@@ -76,7 +76,7 @@ var development = (process.argv[2] === '--dev');
 // set HTTP headers
 app.use(function(req, res, next) {
     // prevent rendering website in foreign iframe (Clickjacking)
-    res.set('X-Frame-Options', 'SAMEORIGIN');
+    res.set('X-Frame-Options', 'DENY');
     // HSTS
     res.set('Strict-Transport-Security', 'max-age=16070400; includeSubDomains');
     // CSP
@@ -88,11 +88,14 @@ app.use(function(req, res, next) {
     res.set('Cache-control', 'public, max-age=0');
     next();
 });
-
 app.use('/appcache.manifest', function(req, res, next) {
     res.set('Cache-control', 'no-cache');
     next();
 });
+app.use('/tpl/read-sandbox.html', function(req, res, next) {
+    res.set('X-Frame-Options', 'SAMEORIGIN');
+    next();
+});
 
 // redirect all http traffic to https
 app.use(function(req, res, next) {