From 6eb174c5e72e4a4b60cbd61a666fbe90d01e46bb Mon Sep 17 00:00:00 2001
From: Pavel Vomacka <pvomacka@redhat.com>
Date: Thu, 10 Mar 2016 18:32:50 +0100
Subject: Add X-Frame-Options and frame-ancestors options

These two options allow preventing clickjacking attacks. They don't allow
open FreeIPA in frame, iframe or object element.

https://fedorahosted.org/freeipa/ticket/4631

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
---
 install/conf/ipa.conf | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 8d4fea35e..cf10fc815 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
 #
-# VERSION 19 - DO NOT REMOVE THIS LINE
+# VERSION 20 - DO NOT REMOVE THIS LINE
 #
 # This file may be overwritten on upgrades.
 #
@@ -71,6 +71,8 @@ WSGIScriptReloading Off
   ErrorDocument 401 /ipa/errors/unauthorized.html
   WSGIProcessGroup ipa
   WSGIApplicationGroup ipa
+  Header always append X-Frame-Options DENY
+  Header always append Content-Security-Policy "frame-ancestors 'none'"
 </Location>
 
 # Turn off Apache authentication for sessions
-- 
cgit