Skip to content

Commit f6564c0

Browse files
ArtemHoruzhenkoArtemHoruzhenko
authored
Merge pull request #3574 from RedisInsight/be/feature/set-x-frame-options-header
Set X-Frame-Options header to routes
2 parents 5269d23 + ccbc3b0 commit f6564c0

File tree

3 files changed

+21
-1
lines changed

3 files changed

+21
-1
lines changed

redisinsight/api/src/app.module.ts

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@ import {
55
import { ServeStaticModule } from '@nestjs/serve-static';
66
import { RouterModule } from '@nestjs/core';
77
import { join } from 'path';
8+
import { Response } from 'express';
89
import config, { Config } from 'src/utils/config';
910
import { PluginModule } from 'src/modules/plugin/plugin.module';
1011
import { CommandsModule } from 'src/modules/commands/commands.module';
@@ -33,11 +34,16 @@ import { CliModule } from './modules/cli/cli.module';
3334
import { StaticsManagementModule } from './modules/statics-management/statics-management.module';
3435
import { ExcludeRouteMiddleware } from './middleware/exclude-route.middleware';
3536
import SubpathProxyMiddleware from './middleware/subpath-proxy.middleware';
37+
import XFrameOptionsMiddleware from './middleware/x-frame-options.middleware';
3638
import { routes } from './app.routes';
3739

3840
const SERVER_CONFIG = config.get('server') as Config['server'];
3941
const PATH_CONFIG = config.get('dir_path') as Config['dir_path'];
4042

43+
const setXFrameOptionsHeader = (res: Response) => {
44+
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
45+
};
46+
4147
@Module({
4248
imports: [
4349
LocalDatabaseModule,
@@ -73,6 +79,7 @@ const PATH_CONFIG = config.get('dir_path') as Config['dir_path'];
7379
serveRoot: SERVER_CONFIG.proxyPath ? `/${SERVER_CONFIG.proxyPath}` : '',
7480
serveStaticOptions: {
7581
index: false,
82+
setHeaders: setXFrameOptionsHeader,
7683
},
7784
}),
7885
]
@@ -83,6 +90,7 @@ const PATH_CONFIG = config.get('dir_path') as Config['dir_path'];
8390
exclude: ['/api/**'],
8491
serveStaticOptions: {
8592
fallthrough: false,
93+
setHeaders: setXFrameOptionsHeader,
8694
},
8795
}),
8896
ServeStaticModule.forRoot({
@@ -91,6 +99,7 @@ const PATH_CONFIG = config.get('dir_path') as Config['dir_path'];
9199
exclude: ['/api/**'],
92100
serveStaticOptions: {
93101
fallthrough: false,
102+
setHeaders: setXFrameOptionsHeader,
94103
},
95104
}),
96105
StaticsManagementModule,
@@ -115,7 +124,7 @@ export class AppModule implements OnModuleInit, NestModule {
115124

116125
configure(consumer: MiddlewareConsumer) {
117126
consumer
118-
.apply(SubpathProxyMiddleware)
127+
.apply(SubpathProxyMiddleware, XFrameOptionsMiddleware)
119128
.forRoutes('*');
120129

121130
consumer

redisinsight/api/src/middleware/x-frame-options.middleware.ts

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
import { NestMiddleware, Injectable } from '@nestjs/common';
2+
import { Request, Response, NextFunction } from 'express';
3+
4+
@Injectable()
5+
export default class XFrameOptionsMiddleware implements NestMiddleware {
6+
use(req: Request, res: Response, next: NextFunction) {
7+
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
8+
next();
9+
}
10+
}

redisinsight/api/src/modules/statics-management/statics-management.module.ts

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ const downloadableStaticFiles = (res: Response) => {
1515
if (res.req?.query?.download === 'true') {
1616
res.setHeader('Content-Type', 'application/octet-stream');
1717
res.setHeader('Content-Disposition', 'attachment;');
18+
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
1819
}
1920
};
2021

0 commit comments

Comments
 (0)