clickjacking prevention via X-Frame-Options and Content-Security-Poli…

…cy headers
netdisco · Oct 6, 2021 · 381f412 · 381f412
1 parent 726e8c6
commit 381f412
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/Build.PL b/Build.PL
@@ -71,6 +71,7 @@ Module::Build->new(
     'Plack::Handler::Twiggy' => '0',
     'Plack::Middleware::Debug' => '0',
     'Plack::Middleware::Expires' => '0.03',
+    'Plack::Middleware::Headers' => '0',
     'Plack::Middleware::ReverseProxy' => '0.15',
     'Pod::Usage' => 0,
     'Regexp::Common' => 2017060201,

diff --git a/bin/netdisco-web-fg b/bin/netdisco-web-fg
@@ -31,6 +31,12 @@ BEGIN {
 
 set plack_middlewares => [
   ['Plack::Middleware::ReverseProxy'],
+  [ Headers => (
+      set => ['X-Frame-Options' => setting('HTTP-Header-X-Frame-Options')],
+  )],
+  [ Headers => (
+      set => ['Content-Security-Policy' => setting('HTTP-Header-Content-Security-Policy')],
+  )],
   [ Expires => (
       content_type => [qr{^application/javascript}, qr{^text/css}, qr{image}, qr{font}],
       expires => 'access plus 1 day',

diff --git a/share/config.yml b/share/config.yml
@@ -533,3 +533,6 @@ template: 'netdisco_template_toolkit'
 route_cache: true
 appname: 'Netdisco'
 behind_proxy: false
+HTTP-Header-X-Frame-Options: 'DENY'
+HTTP-Header-Content-Security-Policy: 'none'
+