Add HTTPSecurityHeaders.CustomFrameOptionsValue option.

Requested in navidrome#248 (comment)
ms140569 · May 2, 2024 · aef49cb · aef49cb
1 parent 7c5eec7
commit aef49cb
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/conf/configuration.go b/conf/configuration.go
@@ -80,6 +80,7 @@ type configOptions struct {
 	PasswordEncryptionKey        string
 	ReverseProxyUserHeader       string
 	ReverseProxyWhitelist        string
+	HTTPSecurityHeaders          secureOptions
 	Prometheus                   prometheusOptions
 	Scanner                      scannerOptions
 	Jukebox                      jukeboxOptions
@@ -130,6 +131,10 @@ type listenBrainzOptions struct {
 	BaseURL string
 }
 
+type secureOptions struct {
+	CustomFrameOptionsValue string
+}
+
 type prometheusOptions struct {
 	Enabled     bool
 	MetricsPath string
@@ -350,6 +355,8 @@ func init() {
 	viper.SetDefault("listenbrainz.enabled", true)
 	viper.SetDefault("listenbrainz.baseurl", "https://api.listenbrainz.org/1/")
 
+	viper.SetDefault("httpsecurityheaders.customframeoptionsvalue", "DENY")
+
 	// DevFlags. These are used to enable/disable debugging and incomplete features
 	viper.SetDefault("devlogsourceline", false)
 	viper.SetDefault("devenableprofiler", false)

diff --git a/server/middlewares.go b/server/middlewares.go
@@ -98,10 +98,11 @@ func corsHandler() func(http.Handler) http.Handler {
 
 func secureMiddleware() func(http.Handler) http.Handler {
 	sec := secure.New(secure.Options{
-		ContentTypeNosniff: true,
-		FrameDeny:          true,
-		ReferrerPolicy:     "same-origin",
-		PermissionsPolicy:  "autoplay=(), camera=(), microphone=(), usb=()",
+		ContentTypeNosniff:      true,
+		FrameDeny:               true,
+		ReferrerPolicy:          "same-origin",
+		PermissionsPolicy:       "autoplay=(), camera=(), microphone=(), usb=()",
+		CustomFrameOptionsValue: conf.Server.HTTPSecurityHeaders.CustomFrameOptionsValue,
 		//ContentSecurityPolicy: "script-src 'self' 'unsafe-inline'",
 	})
 	return sec.Handler