IntenseWebs/mattermost
3
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2025-02-25 18:55:24 -06:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #253 from nickago/MM-1654

Browse Source 
MM-1654 Anti-clickjacking measures
This commit is contained in:
Christopher Speller
2015-07-28 10:03:10 -04:00
parent 94b905aff5 ce2cf5b4e8
commit ec2e61bc55
2 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
api/context.go
View File

@@ -101,6 +101,12 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
w.Header().Set(model.HEADER_REQUEST_ID, c.RequestId)
w.Header().Set(model.HEADER_VERSION_ID, utils.Cfg.ServiceSettings.Version)
// Instruct the browser not to display us in an iframe for anti-clickjacking
if !h.isApi {
w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("Content-Security-Policy", "frame-ancestors none")
}
sessionId := ""
// attempt to parse the session token from the header