Clickjacking prevention header? X-Frame-Options
chexxor opened this issue · 2 comments
chexxor commented
Are the following headers outside the domain of deis-router?
For stronger security, the "X-Frame-Options: SAMEORIGIN | DENY | ALLOW-FROM uri;" header can be used to prevent clickjacking.
The "X-Content-Type-Options: nosniff;" header seems to be recommended for security, also:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
I got these ideas by reading this, which seems reliable: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
krancour commented
Those are both response headers. As long as your applications sets them, they will be included in the response from the router.