Add clickjacking prevention middleware (#68)

Fix https://github.com/matrix-org/matrix-public-archive/issues/67

server/routes/install-routes.js

@@ -6,9 +6,11 @@ const asyncHandler = require('../lib/express-async-handler');
 
 const { handleTracingMiddleware } = require('../tracing/tracing-middleware');
 const getVersionTags = require('../lib/get-version-tags');
+const preventClickjackingMiddleware = require('./prevent-clickjacking-middleware');
 
 function installRoutes(app) {
   app.use(handleTracingMiddleware);
+  app.use(preventClickjackingMiddleware);
 
   let healthCheckResponse;
   app.get(

server/routes/prevent-clickjacking-middleware.js

@@ -0,0 +1,10 @@
+'use strict';
+
+// Don't allow others to iframe embed which can lead to clickjacking
+function preventClickjackingMiddleware(req, res, next) {
+  res.set('X-Frame-Options', 'DENY');
+
+  next();
+}
+
+module.exports = preventClickjackingMiddleware;