Add iframe security headers (#1323)

pluralsh · Jul 3, 2024 · b64d78f · b64d78f
1 parent d51155d
commit b64d78f
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 0 deletions.
diff --git a/apps/api/lib/api_web/endpoint.ex b/apps/api/lib/api_web/endpoint.ex
@@ -43,6 +43,7 @@ defmodule ApiWeb.Endpoint do
   plug Plug.MethodOverride
   plug Plug.Head
   plug ApiWeb.Plugs.MetricsExporter
+  plug ApiWeb.Plugs.SecureHeaders
 
   # The session will be stored in the cookie and signed,
   # this means its contents can be read but not tampered with.

diff --git a/apps/api/lib/api_web/plugs/secure_headers.ex b/apps/api/lib/api_web/plugs/secure_headers.ex
@@ -0,0 +1,11 @@
+defmodule ApiWeb.Plugs.SecureHeaders do
+  import Plug.Conn
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    conn
+    |> put_resp_header("x-frame-options", "ALLOW-FROM #{Core.url("/")}")
+    |> put_resp_header("content-security-policy", "frame-ancestors #{Core.url("/")};")
+  end
+end