Skip to content

Commit

Permalink
Add iframe security headers (#1323)
Browse files Browse the repository at this point in the history
  • Loading branch information
michaeljguarino authored Jul 3, 2024
1 parent d51155d commit b64d78f
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 0 deletions.
1 change: 1 addition & 0 deletions apps/api/lib/api_web/endpoint.ex
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ defmodule ApiWeb.Endpoint do
plug Plug.MethodOverride
plug Plug.Head
plug ApiWeb.Plugs.MetricsExporter
plug ApiWeb.Plugs.SecureHeaders

# The session will be stored in the cookie and signed,
# this means its contents can be read but not tampered with.
Expand Down
11 changes: 11 additions & 0 deletions apps/api/lib/api_web/plugs/secure_headers.ex
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
defmodule ApiWeb.Plugs.SecureHeaders do
import Plug.Conn

def init(opts), do: opts

def call(conn, _opts) do
conn
|> put_resp_header("x-frame-options", "ALLOW-FROM #{Core.url("/")}")
|> put_resp_header("content-security-policy", "frame-ancestors #{Core.url("/")};")
end
end

0 comments on commit b64d78f

Please sign in to comment.