Prevent clickjacking by sending X-Frame-Options

2016-06-15 13:10:26 +02:00
parent 069778caca
commit a37f87511b
1 changed files with 3 additions and 0 deletions
--- a/setup/start/nginx/appconfig.ejs
+++ b/setup/start/nginx/appconfig.ejs
@@ -24,6 +24,9 @@ server {
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";

+    # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
+    add_header X-Frame-Options SAMEORIGIN;
+
    proxy_http_version 1.1;
    proxy_intercept_errors on;
    proxy_read_timeout       3500;