From aa1fdaddaf83e05a2d03ceb7dea5df1be80b9fae Mon Sep 17 00:00:00 2001
From: Joshua Tauberer <jt@occams.info>
Date: Wed, 23 Mar 2016 16:53:48 -0400
Subject: [PATCH] hotfix merge #755 - Prevent click jacking of the management
 interface

---
 CHANGELOG.md                | 4 ++++
 conf/nginx-primaryonly.conf | 3 +++
 2 files changed, 7 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index cc31fd74..cf5578d0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,10 @@ CHANGELOG
 In Development
 --------------
 
+Control panel:
+
+* Prevent click-jacking of the management interface by adding HTTP headers.
+
 Setup:
 
 * Setup dialogs did not appear correctly when connecting to SSH using Putty on Windows.
diff --git a/conf/nginx-primaryonly.conf b/conf/nginx-primaryonly.conf
index 2fb9972e..8fd546af 100644
--- a/conf/nginx-primaryonly.conf
+++ b/conf/nginx-primaryonly.conf
@@ -6,6 +6,9 @@
 	location /admin/ {
 		proxy_pass http://127.0.0.1:10222/;
 		proxy_set_header X-Forwarded-For $remote_addr;
+		add_header X-Frame-Options "DENY";
+		add_header X-Content-Type-Options nosniff;
+		add_header Content-Security-Policy "frame-ancestors 'none';";
 	}
 
 	# ownCloud configuration.