Prevent i-framing of frontend UI to prevent unsafe embedding and/or clickjacking (#1200)

Prevent iframing of frontend UI to prevent unsafe embedding and/or clickjacking
2024-05-01 13:02:08 -07:00 · 2024-05-01 13:02:08 -07:00 · e61dfd80a5
commit e61dfd80a5
parent 42e1d8e8ce
1 changed files with 8 additions and 1 deletions
--- a/server/index.js
+++ b/server/index.js
@ -56,7 +56,14 @@ embeddedEndpoints(apiRouter);

 if (process.env.NODE_ENV !== "development") {
  app.use(
-    express.static(path.resolve(__dirname, "public"), { extensions: ["js"] })
+    express.static(path.resolve(__dirname, "public"), {
+      extensions: ["js"],
+      setHeaders: (res) => {
+        // Disable I-framing of entire site UI
+        res.removeHeader("X-Powered-By");
+        res.setHeader("X-Frame-Options", "DENY");
+      },
+    })
  );

  app.use("/", function (_, response) {