Fixes #88 - Allow specifying X-FRAME-OPTIONS with an environment variable (#89)

2025-01-22 21:08:13 -05:00 · 2019-03-04 10:16:46 +10:00 · 2019-03-04 10:16:46 +10:00 · 6f1d38a0e2
commit 6f1d38a0e2
parent aad9ecde6b
3 changed files with 27 additions and 3 deletions
--- a/doc/INSTALL.md
+++ b/doc/INSTALL.md
@ -143,3 +143,23 @@ Password: changeme
 ```

 Immediately after logging in with this default user you will be asked to modify your details and change your password.
+
+
+### Advanced Options
+
+#### X-FRAME-OPTIONS Header
+
+You can configure the [`X-FRAME-OPTIONS`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) header
+value by specifying it as a Docker environment variable. The default if not specified is `deny`.
+
+```yml
+  ...
+  environment:
+    X_FRAME_OPTIONS: "sameorigin"
+  ...
+```
+
+```
+... -e "X_FRAME_OPTIONS=sameorigin" ...
+```
+
--- a/src/backend/app.js
+++ b/src/backend/app.js
@ -40,11 +40,17 @@ app.use(require('./lib/express/cors'));

 // General security/cache related headers + server header
 app.use(function (req, res, next) {
+    let x_frame_options = 'DENY';
+
+    if (typeof process.env.X_FRAME_OPTIONS !== 'undefined' && process.env.X_FRAME_OPTIONS) {
+        x_frame_options = process.env.X_FRAME_OPTIONS;
+    }
+
    res.set({
        'Strict-Transport-Security': 'includeSubDomains; max-age=631138519; preload',
        'X-XSS-Protection':          '0',
        'X-Content-Type-Options':    'nosniff',
-        'X-Frame-Options':           'DENY',
+        'X-Frame-Options':           x_frame_options,
        'Cache-Control':             'no-cache, no-store, max-age=0, must-revalidate',
        Pragma:                      'no-cache',
        Expires:                     0
--- a/src/backend/index.js
+++ b/src/backend/index.js
@ -1,7 +1,5 @@
 #!/usr/bin/env node

-'use strict';
-
 const logger = require('./logger').global;

 function appStart () {