Fixes #3. Setting X-Frame-Options/CSP headers.

Denying <frame>, <iframe>, <object>, <embed> or <applet>.
LiskArchive · Apr 10, 2016 · b3d3d7a · b3d3d7a
1 parent 894e6d7
commit b3d3d7a
Showing 1 changed file with 14 additions and 0 deletions.
diff --git a/app.js b/app.js
@@ -307,6 +307,20 @@ d.run(function () {
 				var parts = req.url.split('/');
 				var ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
 
+				/* Instruct browser to deny display of <frame>, <iframe> regardless of origin.
+				 *
+				 * RFC -> https://tools.ietf.org/html/rfc7034
+				 */
+				res.setHeader('X-Frame-Options', 'DENY');
+
+				/* Set Content-Security-Policy headers.
+				 *
+				 * frame-ancestors - Defines valid sources for <frame>, <iframe>, <object>, <embed> or <applet>.
+				 *
+				 * W3C Candidate Recommendation -> https://www.w3.org/TR/CSP/
+				 */
+				res.setHeader('Content-Security-Policy', "frame-ancestors 'none'");
+
 				if (parts.length > 1) {
 					if (parts[1] == 'api') {
 						if (scope.config.api.access.whiteList.length > 0) {