From e6d109d42d86fec87630210f8812ee7dfe30562d Mon Sep 17 00:00:00 2001
From: Tankred Hase <tankred@whiteout.io>
Date: Wed, 22 Apr 2015 18:35:59 +0200
Subject: [PATCH] [WO-03-013] Fix lack of X-Frame-Options Header on Whiteout
 Server (Medium)

---
 server.js | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/server.js b/server.js
index 26a6f74..04960a6 100644
--- a/server.js
+++ b/server.js
@@ -75,6 +75,8 @@ var development = (process.argv[2] === '--dev');
 
 // set HTTP headers
 app.use(function(req, res, next) {
+    // prevent rendering website in foreign iframe (Clickjacking)
+    res.set('X-Frame-Options', 'SAMEORIGIN');
     // HSTS
     res.set('Strict-Transport-Security', 'max-age=16070400; includeSubDomains');
     // CSP