From 056565a9689dfe6557f8a3bf8dace41b9b9f43b7 Mon Sep 17 00:00:00 2001 From: Clement Michaud Date: Sun, 15 Oct 2017 18:03:18 +0200 Subject: [PATCH] Add X-Frame-Options header to avoid ability to embed websites in iframes --- example/nginx/nginx.conf | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/example/nginx/nginx.conf b/example/nginx/nginx.conf index 5c215025..0db8f9d5 100644 --- a/example/nginx/nginx.conf +++ b/example/nginx/nginx.conf @@ -31,6 +31,7 @@ http { ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; location / { proxy_set_header X-Original-URI $request_uri; @@ -61,6 +62,7 @@ http { ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; } server { @@ -74,6 +76,7 @@ http { ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; location /auth_verify { internal; @@ -130,6 +133,7 @@ http { ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; location /auth_verify { internal; @@ -169,6 +173,7 @@ http { ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; location /auth_verify { internal; @@ -208,6 +213,7 @@ http { ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; location /auth_verify { internal; @@ -247,6 +253,7 @@ http { ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; + add_header X-Frame-Options "SAMEORIGIN"; location /auth_verify { internal;