From 68f64e96bb7612014e9fe8dddebd2dcded46d050 Mon Sep 17 00:00:00 2001 From: michaeljguarino Date: Wed, 3 Jul 2024 19:24:07 -0400 Subject: [PATCH] Add iframe security headers checking security boxes --- apps/api/lib/api_web/endpoint.ex | 1 + apps/api/lib/api_web/plugs/secure_headers.ex | 11 +++++++++++ 2 files changed, 12 insertions(+) create mode 100644 apps/api/lib/api_web/plugs/secure_headers.ex diff --git a/apps/api/lib/api_web/endpoint.ex b/apps/api/lib/api_web/endpoint.ex index 2543da58f..87bb8b280 100644 --- a/apps/api/lib/api_web/endpoint.ex +++ b/apps/api/lib/api_web/endpoint.ex @@ -43,6 +43,7 @@ defmodule ApiWeb.Endpoint do plug Plug.MethodOverride plug Plug.Head plug ApiWeb.Plugs.MetricsExporter + plug ApiWeb.Plugs.SecureHeaders # The session will be stored in the cookie and signed, # this means its contents can be read but not tampered with. diff --git a/apps/api/lib/api_web/plugs/secure_headers.ex b/apps/api/lib/api_web/plugs/secure_headers.ex new file mode 100644 index 000000000..7ce6d55c5 --- /dev/null +++ b/apps/api/lib/api_web/plugs/secure_headers.ex @@ -0,0 +1,11 @@ +defmodule ApiWeb.Plugs.SecureHeaders do + import Plug.Conn + + def init(opts), do: opts + + def call(conn, _opts) do + conn + |> put_resp_header("X-Frame-Options", "ALLOW-FROM #{Core.url("/")}") + |> put_resp_header("Content-Security-Policy", "frame-ancestors #{Core.url("/")};") + end +end