From 381f412df996984efd4cbfd0b6b478b3ecd6ccbc Mon Sep 17 00:00:00 2001
From: Oliver Gorwits <oliver@cpan.org>
Date: Wed, 6 Oct 2021 16:44:36 +0100
Subject: [PATCH] clickjacking prevention via X-Frame-Options and
 Content-Security-Policy headers

---
 Build.PL            | 1 +
 bin/netdisco-web-fg | 6 ++++++
 share/config.yml    | 3 +++
 3 files changed, 10 insertions(+)

diff --git a/Build.PL b/Build.PL
index 38c5c02e3..ef2a25347 100644
--- a/Build.PL
+++ b/Build.PL
@@ -71,6 +71,7 @@ Module::Build->new(
     'Plack::Handler::Twiggy' => '0',
     'Plack::Middleware::Debug' => '0',
     'Plack::Middleware::Expires' => '0.03',
+    'Plack::Middleware::Headers' => '0',
     'Plack::Middleware::ReverseProxy' => '0.15',
     'Pod::Usage' => 0,
     'Regexp::Common' => 2017060201,
diff --git a/bin/netdisco-web-fg b/bin/netdisco-web-fg
index 91b894e2e..d46c4fc9b 100755
--- a/bin/netdisco-web-fg
+++ b/bin/netdisco-web-fg
@@ -31,6 +31,12 @@ BEGIN {
 
 set plack_middlewares => [
   ['Plack::Middleware::ReverseProxy'],
+  [ Headers => (
+      set => ['X-Frame-Options' => setting('HTTP-Header-X-Frame-Options')],
+  )],
+  [ Headers => (
+      set => ['Content-Security-Policy' => setting('HTTP-Header-Content-Security-Policy')],
+  )],
   [ Expires => (
       content_type => [qr{^application/javascript}, qr{^text/css}, qr{image}, qr{font}],
       expires => 'access plus 1 day',
diff --git a/share/config.yml b/share/config.yml
index c5c805dc0..9c75059f7 100644
--- a/share/config.yml
+++ b/share/config.yml
@@ -533,3 +533,6 @@ template: 'netdisco_template_toolkit'
 route_cache: true
 appname: 'Netdisco'
 behind_proxy: false
+HTTP-Header-X-Frame-Options: 'DENY'
+HTTP-Header-Content-Security-Policy: 'none'
+