diff options
-rw-r--r-- | api/context.go | 6 | ||||
-rw-r--r-- | web/templates/head.html | 7 |
2 files changed, 13 insertions, 0 deletions
diff --git a/api/context.go b/api/context.go index ac9dffcbc..16da0a6eb 100644 --- a/api/context.go +++ b/api/context.go @@ -101,6 +101,12 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId) w.Header().Set(model.HEADER_VERSION_ID, utils.Cfg.ServiceSettings.Version) + // Instruct the browser not to display us in an iframe for anti-clickjacking + if !h.isApi { + w.Header().Set("X-Frame-Options", "DENY") + w.Header().Set("Content-Security-Policy", "frame-ancestors none") + } + sessionId := "" // attempt to parse the session token from the header diff --git a/web/templates/head.html b/web/templates/head.html index d14340998..7a7d4fe8e 100644 --- a/web/templates/head.html +++ b/web/templates/head.html @@ -36,6 +36,13 @@ <script type="text/javascript" src="https://cloudfront.loggly.com/js/loggly.tracker.js" async></script> <script id="config" type="text/javascript" src="/static/config/config.js"></script> + <style id="antiClickjack">body{display:none !important;}</style> + <script type="text/javascript"> + if (self === top) { + var blocker = document.getElementById("antiClickjack"); + blocker.parentNode.removeChild(blocker); + } + </script> <script> if (config == null) { config = {}; |