From b7597b274938b07387e53e48807c9ad6d465ed7e Mon Sep 17 00:00:00 2001
From: Eric Eastwood <contact@ericeastwood.com>
Date: Thu, 8 Sep 2022 19:30:20 -0500
Subject: [PATCH] Add clickjacking prevention middleware (#68)

Fix https://github.com/matrix-org/matrix-public-archive/issues/67
---
 server/routes/install-routes.js                  |  2 ++
 server/routes/prevent-clickjacking-middleware.js | 10 ++++++++++
 2 files changed, 12 insertions(+)
 create mode 100644 server/routes/prevent-clickjacking-middleware.js

diff --git a/server/routes/install-routes.js b/server/routes/install-routes.js
index 7613dc6..fceaf9b 100644
--- a/server/routes/install-routes.js
+++ b/server/routes/install-routes.js
@@ -6,9 +6,11 @@ const asyncHandler = require('../lib/express-async-handler');
 
 const { handleTracingMiddleware } = require('../tracing/tracing-middleware');
 const getVersionTags = require('../lib/get-version-tags');
+const preventClickjackingMiddleware = require('./prevent-clickjacking-middleware');
 
 function installRoutes(app) {
   app.use(handleTracingMiddleware);
+  app.use(preventClickjackingMiddleware);
 
   let healthCheckResponse;
   app.get(
diff --git a/server/routes/prevent-clickjacking-middleware.js b/server/routes/prevent-clickjacking-middleware.js
new file mode 100644
index 0000000..4e95ba7
--- /dev/null
+++ b/server/routes/prevent-clickjacking-middleware.js
@@ -0,0 +1,10 @@
+'use strict';
+
+// Don't allow others to iframe embed which can lead to clickjacking
+function preventClickjackingMiddleware(req, res, next) {
+  res.set('X-Frame-Options', 'DENY');
+
+  next();
+}
+
+module.exports = preventClickjackingMiddleware;