From b7597b274938b07387e53e48807c9ad6d465ed7e Mon Sep 17 00:00:00 2001 From: Eric Eastwood Date: Thu, 8 Sep 2022 19:30:20 -0500 Subject: [PATCH] Add clickjacking prevention middleware (#68) Fix https://github.com/matrix-org/matrix-public-archive/issues/67 --- server/routes/install-routes.js | 2 ++ server/routes/prevent-clickjacking-middleware.js | 10 ++++++++++ 2 files changed, 12 insertions(+) create mode 100644 server/routes/prevent-clickjacking-middleware.js diff --git a/server/routes/install-routes.js b/server/routes/install-routes.js index 7613dc6..fceaf9b 100644 --- a/server/routes/install-routes.js +++ b/server/routes/install-routes.js @@ -6,9 +6,11 @@ const asyncHandler = require('../lib/express-async-handler'); const { handleTracingMiddleware } = require('../tracing/tracing-middleware'); const getVersionTags = require('../lib/get-version-tags'); +const preventClickjackingMiddleware = require('./prevent-clickjacking-middleware'); function installRoutes(app) { app.use(handleTracingMiddleware); + app.use(preventClickjackingMiddleware); let healthCheckResponse; app.get( diff --git a/server/routes/prevent-clickjacking-middleware.js b/server/routes/prevent-clickjacking-middleware.js new file mode 100644 index 0000000..4e95ba7 --- /dev/null +++ b/server/routes/prevent-clickjacking-middleware.js @@ -0,0 +1,10 @@ +'use strict'; + +// Don't allow others to iframe embed which can lead to clickjacking +function preventClickjackingMiddleware(req, res, next) { + res.set('X-Frame-Options', 'DENY'); + + next(); +} + +module.exports = preventClickjackingMiddleware;