routes: set X-Frame-Options: DENY

* Mitigation measure against clickjacking.
plotly · Jul 13, 2018 · 24c1e87 · 24c1e87
1 parent adbbbad
commit 24c1e87
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/backend/routes.js b/backend/routes.js
@@ -148,6 +148,14 @@ export default class Servers {
 
         that.electronWindow = that.httpsServer.electronWindow || that.httpServer.electronWindow;
 
+        server.pre(function (req, res, next) {
+            res.header(
+                'X-Frame-Options',
+                'DENY'
+            );
+            next();
+        });
+
         server.use(CookieParser.parse);
         server.use(PlotlyOAuth(Boolean(that.isElectron)));