Added X-Frame-Options: deny (#6992)

cvat-ai · Oct 12, 2023 · 93a4f05 · 93a4f05
1 parent 848e373
commit 93a4f05
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 5 deletions.
diff --git a/changelog.d/20231012_123219_andrey_x_frame_options.md b/changelog.d/20231012_123219_andrey_x_frame_options.md
@@ -0,0 +1,4 @@
+### Security
+
+- Added X-Frame-Options: deny
+  (<https://github.com/opencv/cvat/pull/6992>)
diff --git a/cvat-ui/react_nginx.conf b/cvat-ui/react_nginx.conf
@@ -15,11 +15,12 @@ server {
     location / {
         # Any route that doesn't exist on the server (e.g. /devices)
         try_files $uri $uri/ /index.html;
-        add_header  Cache-Control "no-cache, no-store, must-revalidate";
-        add_header  Pragma "no-cache";
-        add_header  Cross-Origin-Opener-Policy "same-origin";
-        add_header  Cross-Origin-Embedder-Policy "credentialless";
-        add_header  Expires 0;
+        add_header Cache-Control "no-cache, no-store, must-revalidate";
+        add_header Pragma "no-cache";
+        add_header Cross-Origin-Opener-Policy "same-origin";
+        add_header Cross-Origin-Embedder-Policy "credentialless";
+        add_header Expires 0;
+        add_header X-Frame-Options "deny";
     }
 
     location /assets {

diff --git a/cvat/nginx.conf b/cvat/nginx.conf
@@ -46,6 +46,8 @@ http {
     # previously used value
     client_max_body_size 1G;
 
+    add_header X-Frame-Options deny;
+
     server_name _;
 
     location /static/ {