[WO-03-013] Fix lack of X-Frame-Options Header on Whiteout Server (Medium)

8 years ago · e6d109d42d
parent 0dc04e659f
commit e6d109d42d
1 changed files with 2 additions and 0 deletions
--- a/server.js
+++ b/server.js
@ -75,6 +75,8 @@ var development = (process.argv[2] === '--dev');

 // set HTTP headers
 app.use(function(req, res, next) {
+    // prevent rendering website in foreign iframe (Clickjacking)
+    res.set('X-Frame-Options', 'SAMEORIGIN');
    // HSTS
    res.set('Strict-Transport-Security', 'max-age=16070400; includeSubDomains');
    // CSP