Allow X-FRAME-OPTIONS to be set in config.py. Default to SAMEORIGIN. Fixes #3439

DENY cannot be supported without breaking the debugger and query tool.

docs/en_US/release_notes_4_3.rst

@@ -10,6 +10,7 @@ Features
 ********
 
 | `Feature #1825 <https://redmine.postgresql.org/issues/1825>`_ - Install a script to start pgAdmin (pgadmin4) from the command line when installed from the Python wheel.
+| `Feature #3439 <https://redmine.postgresql.org/issues/3439>`_ - Allow X-FRAME-OPTIONS to be set for security. Default to SAMEORIGIN.
 
 Bug fixes
 *********

web/config.py

@@ -144,6 +144,12 @@ DEFAULT_SERVER_PORT = 5050
 # Enable CSRF protection?
 CSRF_ENABLED = True
 
+# Enable X-Frame-Option protection.
+# Set to one of "SAMEORIGIN", "ALLOW-FROM origin" or "" to disable.
+# Note that "DENY" is NOT supported (and will be silently ignored).
+# See https://tools.ietf.org/html/rfc7034 for more info.
+X_FRAME_OPTIONS = "SAMEORIGIN"
+
 # Hashing algorithm used for password storage
 SECURITY_PASSWORD_HASH = 'pbkdf2_sha512'
 

web/pgadmin/__init__.py

@@ -630,6 +630,11 @@ def create_app(app_name=None):
                                 path=config.COOKIE_DEFAULT_PATH,
                                 **domain)
 
+        # X-Frame-Options for security
+        if config.X_FRAME_OPTIONS != "" and \
+                config.X_FRAME_OPTIONS.lower() != "deny":
+            response.headers["X-Frame-Options"] = config.X_FRAME_OPTIONS
+
         return response
 
     ##########################################################################