Merge pull request #253 from nickago/MM-1654

MM-1654 Anti-clickjacking measures

1 files changed, 6 insertions, 0 deletions

diff --git a/api/context.go b/api/context.go
index ac9dffcbc..16da0a6eb 100644
--- a/api/context.go
+++ b/api/context.go
@@ -101,6 +101,12 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId)
 	w.Header().Set(model.HEADER_VERSION_ID, utils.Cfg.ServiceSettings.Version)
 
+	// Instruct the browser not to display us in an iframe for anti-clickjacking
+	if !h.isApi {
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("Content-Security-Policy", "frame-ancestors none")
+	}
+
 	sessionId := ""
 
 	// attempt to parse the session token from the header