context: add X-Frame-Options header (#6411)

Co-authored-by: ᴜɴᴋɴᴡᴏɴ <u@gogs.io>
author: Matheus Mosca <42419282+matheusmosca@users.noreply.github.com> 2020-11-11 01:17:43 -0300
committer: GitHub <noreply@github.com> 2020-11-11 12:17:43 +0800
commit: 997ba0fef01cc5ea69de1be7e997c7b7e184dd52 (patch)
tree: eda04450c549a1de9c2564db1bf8ec620f033e64
parent: 6f735cc2dade8c24c66f2c131f26334784de6139 (diff)
2 files changed, 3 insertions, 0 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9f82ed08..29bf1764 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,8 @@ All notable changes to Gogs are documented in this file.
 
 ### Fixed
 
+- Add `X-Frame-Options` header to prevent Clickjacking. [#6409](https://github.com/gogs/gogs/issues/6409) 
+
 ### Removed
 
 - ⚠️ Migrations before 0.12 are removed, installations not on 0.12 should upgrade to it to run the migrations and then upgrade to 0.13.
diff --git a/internal/context/context.go b/internal/context/context.go
index 55c94c59..da967b11 100644
--- a/internal/context/context.go
+++ b/internal/context/context.go
@@ -289,6 +289,7 @@ func Contexter() macaron.Handler {
 		// 🚨 SECURITY: Prevent MIME type sniffing in some browsers,
 		// see https://github.com/gogs/gogs/issues/5397 for details.
 		c.Header().Set("X-Content-Type-Options", "nosniff")
+		c.Header().Set("X-Frame-Options", "DENY")
 
 		ctx.Map(c)
 	}
author	Matheus Mosca <42419282+matheusmosca@users.noreply.github.com>	2020-11-11 01:17:43 -0300
committer	GitHub <noreply@github.com>	2020-11-11 12:17:43 +0800
commit	997ba0fef01cc5ea69de1be7e997c7b7e184dd52 (patch)
tree	eda04450c549a1de9c2564db1bf8ec620f033e64
parent	6f735cc2dade8c24c66f2c131f26334784de6139 (diff)