Add iframe security headers

apps/api/lib/api_web/endpoint.ex

@@ -43,6 +43,7 @@ defmodule ApiWeb.Endpoint do
   plug Plug.MethodOverride
   plug Plug.Head
   plug ApiWeb.Plugs.MetricsExporter
+  plug ApiWeb.Plugs.SecureHeaders
 
   # The session will be stored in the cookie and signed,
   # this means its contents can be read but not tampered with.

apps/api/lib/api_web/plugs/secure_headers.ex

@@ -0,0 +1,11 @@
+defmodule ApiWeb.Plugs.SecureHeaders do
+  import Plug.Conn
+
+  def init(opts), do: opts
+
+  def call(conn, _opts) do
+    conn
+    |> put_resp_header("x-frame-options", "ALLOW-FROM #{Core.url("/")}")
+    |> put_resp_header("content-security-policy", "frame-ancestors #{Core.url("/")};")
+  end
+end