Fix X-Frame-Options header

8af8979f · ale · d1e6a380 · 8af8979f
Commit 8af8979f authored 5 years ago by ale
--- a/server/httputil/headers.go
+++ b/server/httputil/headers.go
@@ -12,7 +12,7 @@ func WithDynamicHeaders(h http.Handler, csp string) http.Handler {
 		hdr.Set("Pragma", "no-cache")
 		hdr.Set("Cache-Control", "no-store")
 		hdr.Set("Expires", "-1")
-		hdr.Set("X-Frame-Options", "NONE")
+		hdr.Set("X-Frame-Options", "deny")
 		hdr.Set("X-XSS-Protection", "1; mode=block")
 		hdr.Set("X-Content-Type-Options", "nosniff")
 		if csp != "" && hdr.Get("Content-Security-Policy") == "" {