Fixes #88 - Allow specifying X-FRAME-OPTIONS with an environment variable (#89)

2025-06-18 10:06:26 +00:00 · 2019-03-04 10:16:46 +10:00
parent aad9ecde6b
commit 6f1d38a0e2
3 changed files with 27 additions and 3 deletions
--- a/src/backend/app.js
+++ b/src/backend/app.js
@ -40,11 +40,17 @@ app.use(require('./lib/express/cors'));

 // General security/cache related headers + server header
 app.use(function (req, res, next) {
+    let x_frame_options = 'DENY';
+
+    if (typeof process.env.X_FRAME_OPTIONS !== 'undefined' && process.env.X_FRAME_OPTIONS) {
+        x_frame_options = process.env.X_FRAME_OPTIONS;
+    }
+
    res.set({
        'Strict-Transport-Security': 'includeSubDomains; max-age=631138519; preload',
        'X-XSS-Protection':          '0',
        'X-Content-Type-Options':    'nosniff',
-        'X-Frame-Options':           'DENY',
+        'X-Frame-Options':           x_frame_options,
        'Cache-Control':             'no-cache, no-store, max-age=0, must-revalidate',
        Pragma:                      'no-cache',
        Expires:                     0