1
0
mirror of https://github.com/moparisthebest/mail synced 2024-11-25 02:12:17 -05:00

[WO-03-013] Set stricter X-Frame-Options HTTP headers

This commit is contained in:
Tankred Hase 2015-04-23 17:44:30 +02:00
parent 6216fe2f1a
commit 281e53a887

View File

@ -76,7 +76,7 @@ var development = (process.argv[2] === '--dev');
// set HTTP headers // set HTTP headers
app.use(function(req, res, next) { app.use(function(req, res, next) {
// prevent rendering website in foreign iframe (Clickjacking) // prevent rendering website in foreign iframe (Clickjacking)
res.set('X-Frame-Options', 'SAMEORIGIN'); res.set('X-Frame-Options', 'DENY');
// HSTS // HSTS
res.set('Strict-Transport-Security', 'max-age=16070400; includeSubDomains'); res.set('Strict-Transport-Security', 'max-age=16070400; includeSubDomains');
// CSP // CSP
@ -88,11 +88,14 @@ app.use(function(req, res, next) {
res.set('Cache-control', 'public, max-age=0'); res.set('Cache-control', 'public, max-age=0');
next(); next();
}); });
app.use('/appcache.manifest', function(req, res, next) { app.use('/appcache.manifest', function(req, res, next) {
res.set('Cache-control', 'no-cache'); res.set('Cache-control', 'no-cache');
next(); next();
}); });
app.use('/tpl/read-sandbox.html', function(req, res, next) {
res.set('X-Frame-Options', 'SAMEORIGIN');
next();
});
// redirect all http traffic to https // redirect all http traffic to https
app.use(function(req, res, next) { app.use(function(req, res, next) {