Clickjacking (X-Frame-Options Header) security patch fix on file doub…

…tfire-web-webnginx.conf
thoth-tech · Dec 11, 2024 · 7642b00 · 7642b00
1 parent e70f4c7
commit 7642b00
Showing 1 changed file with 6 additions and 4 deletions.
diff --git a/nginx.conf b/nginx.conf
@@ -11,14 +11,16 @@ http {
         index index.html;
         listen 80;
 
-        add_header Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval' blob: data: ws:" always;
-        # add_header Feature-Policy "microphone=(self),speaker=(self),fullscreen=(self),payment=(none);" always;
-        add_header Permissions-Policy "microphone=(self),speaker=(self),fullscreen=(self),payment=(none)" always;
+        add_header Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval' blob: data:" always;
+        add_header Feature-Policy "microphone 'self';speaker 'self';fullscreen 'self';payment none;" always;
+        add_header Permissions-Policy "microphone=(self), fullscreen=(self), payment=()" always;
+
+        # Added X-Frame-Options header (security patch fix for clickjacking)
+        add_header X-Frame-Options "DENY" always;
     }
 
     gzip on;
     gzip_types text/css application/javascript;
     gzip_proxied any;
     gzip_buffers 32 8k;
-
 }