From 566471cae8f4086eaceabc30c899976cdde6c96d Mon Sep 17 00:00:00 2001
From: Kyle Spearrin <kyle.spearrin@gmail.com>
Date: Fri, 31 Aug 2018 12:16:36 -0400
Subject: [PATCH] enabled X-Frame-Options header

---
 util/Setup/Templates/NginxConfig.hbs | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/util/Setup/Templates/NginxConfig.hbs b/util/Setup/Templates/NginxConfig.hbs
index 0b2634f525..d5041b0229 100644
--- a/util/Setup/Templates/NginxConfig.hbs
+++ b/util/Setup/Templates/NginxConfig.hbs
@@ -47,7 +47,7 @@ server {
 
   # Security headers
   add_header Referrer-Policy same-origin;
-  #add_header X-Frame-Options SAMEORIGIN;
+  add_header X-Frame-Options SAMEORIGIN;
 {{#if Ssl}}
   add_header X-Content-Type-Options nosniff;
   # This will enforce HTTP browsing into HTTPS and avoid ssl stripping attack. 6 months age
@@ -67,6 +67,16 @@ server {
     add_header Content-Type $fido_content_type;
   }
 
+  location = /duo-connector.html {
+    proxy_pass http://web:5000/duo-connector.html;
+    proxy_hide_header X-Frame-Options;
+  }
+
+  location = /u2f-connector.html {
+    proxy_pass http://web:5000/u2f-connector.html;
+    proxy_hide_header X-Frame-Options;
+  }
+
   location /attachments/ {
     proxy_pass http://attachments:5000/;
   }