From b64d78fb15ce6f07a262f37701db12272cc4722c Mon Sep 17 00:00:00 2001
From: michaeljguarino <mjg@plural.sh>
Date: Wed, 3 Jul 2024 19:41:26 -0400
Subject: [PATCH] Add iframe security headers (#1323)

---
 apps/api/lib/api_web/endpoint.ex             |  1 +
 apps/api/lib/api_web/plugs/secure_headers.ex | 11 +++++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 apps/api/lib/api_web/plugs/secure_headers.ex

diff --git a/apps/api/lib/api_web/endpoint.ex b/apps/api/lib/api_web/endpoint.ex
index 2543da58f..87bb8b280 100644
--- a/apps/api/lib/api_web/endpoint.ex
+++ b/apps/api/lib/api_web/endpoint.ex
@@ -43,6 +43,7 @@ defmodule ApiWeb.Endpoint do
   plug Plug.MethodOverride
   plug Plug.Head
   plug ApiWeb.Plugs.MetricsExporter
+  plug ApiWeb.Plugs.SecureHeaders
 
   # The session will be stored in the cookie and signed,
   # this means its contents can be read but not tampered with.
diff --git a/apps/api/lib/api_web/plugs/secure_headers.ex b/apps/api/lib/api_web/plugs/secure_headers.ex
new file mode 100644
index 000000000..7357446d9
--- /dev/null
+++ b/apps/api/lib/api_web/plugs/secure_headers.ex
@@ -0,0 +1,11 @@
+defmodule ApiWeb.Plugs.SecureHeaders do
+  import Plug.Conn
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    conn
+    |> put_resp_header("x-frame-options", "ALLOW-FROM #{Core.url("/")}")
+    |> put_resp_header("content-security-policy", "frame-ancestors #{Core.url("/")};")
+  end
+end