From ef35a04c4a24e97dec54a37082d6bf08499bebcf Mon Sep 17 00:00:00 2001
From: Nariman Jelveh <n.jelveh@gmail.com>
Date: Mon, 22 Apr 2024 14:09:32 -0700
Subject: [PATCH] Disable iframing of the main domain

---
 packages/backend/src/services/WebServerService.js | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/packages/backend/src/services/WebServerService.js b/packages/backend/src/services/WebServerService.js
index 04d8df31..e7f10183 100644
--- a/packages/backend/src/services/WebServerService.js
+++ b/packages/backend/src/services/WebServerService.js
@@ -336,6 +336,13 @@ class WebServerService extends BaseService {
             // res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp')
             res.setHeader('Cross-Origin-Resource-Policy', 'cross-origin');
             // Pass to next layer of middleware
+
+            // disable iframes on the main domain
+            if ( req.hostname === config.domain ) {
+                // disable iframes
+                res.setHeader('X-Frame-Options', 'SAMEORIGIN');
+            }
+
             next();
         });