From ae32bf7232a5e97a9459075632555fb4ce86e0bc Mon Sep 17 00:00:00 2001 From: Tim Wundenberg Date: Sat, 23 Nov 2024 12:52:52 +0100 Subject: [PATCH] feat(security): #273 disable frame-ancestors --- middleware/content_security_policiy.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/middleware/content_security_policiy.go b/middleware/content_security_policiy.go index 68f55a6..ba4e370 100644 --- a/middleware/content_security_policiy.go +++ b/middleware/content_security_policiy.go @@ -7,7 +7,7 @@ func ContentSecurityPolicy(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // While this value can be overridden, it can't be moved to after the next.ServeHTTP call, // because if the response writer get's closed, the headers can't be set anymore - w.Header().Set("Content-Security-Policy", "default-src 'self' https://umami.me-fit.eu") + w.Header().Set("Content-Security-Policy", "default-src 'self' https://umami.me-fit.eu; frame-ancestors 'none'") next.ServeHTTP(w, r) })