Skip to content

Commit 6f1d38a

Browse files
authored
Fixes #88 - Allow specifying X-FRAME-OPTIONS with an environment variable (#89)
1 parent aad9ecd commit 6f1d38a

File tree

3 files changed

+27
-3
lines changed

3 files changed

+27
-3
lines changed

doc/INSTALL.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -143,3 +143,23 @@ Password: changeme
143143
```
144144
145145
Immediately after logging in with this default user you will be asked to modify your details and change your password.
146+
147+
148+
### Advanced Options
149+
150+
#### X-FRAME-OPTIONS Header
151+
152+
You can configure the [`X-FRAME-OPTIONS`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) header
153+
value by specifying it as a Docker environment variable. The default if not specified is `deny`.
154+
155+
```yml
156+
...
157+
environment:
158+
X_FRAME_OPTIONS: "sameorigin"
159+
...
160+
```
161+
162+
```
163+
... -e "X_FRAME_OPTIONS=sameorigin" ...
164+
```
165+

src/backend/app.js

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -40,11 +40,17 @@ app.use(require('./lib/express/cors'));
4040

4141
// General security/cache related headers + server header
4242
app.use(function (req, res, next) {
43+
let x_frame_options = 'DENY';
44+
45+
if (typeof process.env.X_FRAME_OPTIONS !== 'undefined' && process.env.X_FRAME_OPTIONS) {
46+
x_frame_options = process.env.X_FRAME_OPTIONS;
47+
}
48+
4349
res.set({
4450
'Strict-Transport-Security': 'includeSubDomains; max-age=631138519; preload',
4551
'X-XSS-Protection': '0',
4652
'X-Content-Type-Options': 'nosniff',
47-
'X-Frame-Options': 'DENY',
53+
'X-Frame-Options': x_frame_options,
4854
'Cache-Control': 'no-cache, no-store, max-age=0, must-revalidate',
4955
Pragma: 'no-cache',
5056
Expires: 0

src/backend/index.js

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,5 @@
11
#!/usr/bin/env node
22

3-
'use strict';
4-
53
const logger = require('./logger').global;
64

75
function appStart () {

0 commit comments

Comments
 (0)