From f80cce7e276d09afd3436e137e37b8eb4ec9e2de Mon Sep 17 00:00:00 2001
From: Ben Adida <ben@adida.net>
Date: Sun, 17 Jul 2011 12:20:21 -0700
Subject: [PATCH] Added x-frame-options deny to all requests to prevent
 clickjacking in modern browsers.

---
 browserid/app.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/browserid/app.js b/browserid/app.js
index 0d1c9e499..c685e4915 100644
--- a/browserid/app.js
+++ b/browserid/app.js
@@ -122,6 +122,12 @@ exports.setup = function(server) {
     next();
   });
 
+  // prevent framing
+  server.use(function(req, resp, next) {
+      resp.setHeader('x-frame-options', 'DENY');
+      next();
+    });
+
   // add the actual URL handlers other than static
   router(server);
 }
-- 
GitLab