anti-framing policy added with headers

filegator · Sep 27, 2021 · 63645f6 · 63645f6
1 parent 8f1dfd9
commit 63645f6
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 0 deletions.
diff --git a/backend/Services/Security/Security.php b/backend/Services/Security/Security.php
@@ -89,5 +89,11 @@ public function init(array $config = [])
                 die;
             }
         }
+
+
+        if (empty($config['allow_insecure_overlays']) || !$config['allow_insecure_overlays']) {
+            $this->response->headers->set('X-Frame-Options', 'sameorigin');
+            $this->response->headers->set('Content-Security-Policy', 'frame-ancestors \'self\'');
+        }
     }
 }
diff --git a/configuration_sample.php b/configuration_sample.php
@@ -72,6 +72,7 @@ function () {
                 'csrf_key' => "123456", // randomize this
                 'ip_allowlist' => [],
                 'ip_denylist' => [],
+                'allow_insecure_overlays' => false,
             ],
         ],
         'Filegator\Services\View\ViewInterface' => [