hotfix merge #755 - Prevent click jacking of the management interface

2025-10-31 19:00:54 +00:00 · 2016-03-23 16:53:48 -04:00 · 2016-03-23 16:53:48 -04:00 · aa1fdaddaf
commit aa1fdaddaf
parent 7fa9baf308
2 changed files with 7 additions and 0 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,10 @@ CHANGELOG
 In Development
 --------------

+Control panel:
+
+* Prevent click-jacking of the management interface by adding HTTP headers.
+
 Setup:

 * Setup dialogs did not appear correctly when connecting to SSH using Putty on Windows.
--- a/conf/nginx-primaryonly.conf
+++ b/conf/nginx-primaryonly.conf
@ -6,6 +6,9 @@
 	location /admin/ {
 		proxy_pass http://127.0.0.1:10222/;
 		proxy_set_header X-Forwarded-For $remote_addr;
+		add_header X-Frame-Options "DENY";
+		add_header X-Content-Type-Options nosniff;
+		add_header Content-Security-Policy "frame-ancestors 'none';";
 	}

 	# ownCloud configuration.