From 73dafa6affa5ddb9c10a134d3f497fe983e44815 Mon Sep 17 00:00:00 2001 From: Jet Date: Fri, 11 Oct 2013 11:08:52 +0200 Subject: [PATCH 1/3] Disable framing Set the X-Frame-Options to DENY for added security. --- src/webserver.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/webserver.js b/src/webserver.js index e03e3382df..e23d9263f5 100644 --- a/src/webserver.js +++ b/src/webserver.js @@ -112,6 +112,10 @@ var express = require('express'), app.use(function (req, res, next) { nconf.set('https', req.secure); res.locals.csrf_token = req.session._csrf; + + // Disable framing + res.setHeader "x-frame-options", "DENY" + next(); }); From 97592eede6e284db9ac2d5416503b9d8ebfe0489 Mon Sep 17 00:00:00 2001 From: Jet Date: Fri, 11 Oct 2013 11:19:24 +0200 Subject: [PATCH 2/3] Fixed case for header --- src/webserver.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/webserver.js b/src/webserver.js index e23d9263f5..84ebabdb55 100644 --- a/src/webserver.js +++ b/src/webserver.js @@ -114,7 +114,7 @@ var express = require('express'), res.locals.csrf_token = req.session._csrf; // Disable framing - res.setHeader "x-frame-options", "DENY" + res.setHeader "X-Frame-Options", "DENY" next(); }); From a8f2fd66ae316df405595a2488aa4528c90270c6 Mon Sep 17 00:00:00 2001 From: Jet Date: Sun, 20 Oct 2013 13:27:25 +0200 Subject: [PATCH 3/3] Adding brackets. Too much Coffeescript. Had some filters on. :) --- src/webserver.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/webserver.js b/src/webserver.js index 84ebabdb55..b9d60f0554 100644 --- a/src/webserver.js +++ b/src/webserver.js @@ -114,7 +114,7 @@ var express = require('express'), res.locals.csrf_token = req.session._csrf; // Disable framing - res.setHeader "X-Frame-Options", "DENY" + res.setHeader("X-Frame-Options", "DENY"); next(); });