Skip to content

fix(security): set anti-framing headers at the server level #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
camreeves wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(security): set anti-framing headers at the server level #26

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c0bb84b
fix(security): set anti-framing headers at the server level
camreeves May 18, 2026
19cca58
fix(nginx): allow SAMEORIGIN
viv-4 May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions config/nginx.conf.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,16 @@ http {
set $kibana kibana:5601;
set $mosquitto mosquitto:9001;

# Defensive clickjacking headers, applied at the server level so they
# propagate to all HTML responses (frontend SPAs, login pages, etc.).
# `frame-ancestors 'self'` (CSP Level 2) is the standards-track form;
# `X-Frame-Options SAMEORIGIN` covers older browsers that don't honour CSP.
# Locations that declare their own `add_header` directives do not
# inherit these — API responses are JSON and not framable, so the
# protection is targeted at the HTML surface that matters.
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Content-Security-Policy "frame-ancestors 'self'" always;

location ~ "^/\.(?!well-known/)" {
deny all;
}
Expand Down
Loading