From e61dfd80a54bcb7605a5bf4c12aae4cea4a91ee1 Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Wed, 1 May 2024 13:02:08 -0700
Subject: [PATCH] Prevent i-framing of frontend UI to prevent unsafe embedding
 and/or clickjacking (#1200)

Prevent iframing of frontend UI to prevent unsafe embedding and/or clickjacking
---
 server/index.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/server/index.js b/server/index.js
index 158b80af8..7874045be 100644
--- a/server/index.js
+++ b/server/index.js
@@ -56,7 +56,14 @@ embeddedEndpoints(apiRouter);
 
 if (process.env.NODE_ENV !== "development") {
   app.use(
-    express.static(path.resolve(__dirname, "public"), { extensions: ["js"] })
+    express.static(path.resolve(__dirname, "public"), {
+      extensions: ["js"],
+      setHeaders: (res) => {
+        // Disable I-framing of entire site UI
+        res.removeHeader("X-Powered-By");
+        res.setHeader("X-Frame-Options", "DENY");
+      },
+    })
   );
 
   app.use("/", function (_, response) {