From 76cf6c559d8c3bcb206b873ee517668e699ae632 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=A4=A9=E8=88=9F?= <tianzhouchen@gmail.com>
Date: Tue, 12 Oct 2021 23:40:44 +0800
Subject: [PATCH] Disallow iframe embed to set XFrameOptions=DENY

Found by https://huntr.dev/
---
 server/server.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/server.go b/server/server.go
index b3e697d119e7d5..f60135355c1470 100644
--- a/server/server.go
+++ b/server/server.go
@@ -93,6 +93,11 @@ func NewServer(logger *zap.Logger, version string, host string, port int, fronte
 	e.HideBanner = true
 	e.HidePort = true
 
+	// Disallow to be embeded in an iframe
+	e.Use(middleware.SecureWithConfig(middleware.SecureConfig{
+		XFrameOptions: "DENY",
+	}))
+
 	embedFrontend(logger, e)
 
 	s := &Server{