From 1593838f896dec29c8c61b3b43ef3e3e48bfb01c Mon Sep 17 00:00:00 2001 From: Eldad Fux Date: Fri, 28 Aug 2020 15:20:04 +0300 Subject: [PATCH 1/2] Block iframe access to Appwrite console --- app/controllers/shared/web.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/app/controllers/shared/web.php b/app/controllers/shared/web.php index d7b28de099..3452cd3535 100644 --- a/app/controllers/shared/web.php +++ b/app/controllers/shared/web.php @@ -36,7 +36,9 @@ App::init(function ($utopia, $request, $response, $layout) { $response ->addHeader('Cache-Control', 'public, max-age='.$time) ->addHeader('Expires', \date('D, d M Y H:i:s', \time() + $time).' GMT') // 45 days cache - ->addHeader('X-UA-Compatible', 'IE=Edge'); // Deny IE browsers from going into quirks mode + ->addHeader('X-Frame-Options', 'SAMEORIGIN') // Avoid console and homepage from showing in iframes + ->addHeader('X-UA-Compatible', 'IE=Edge') // Deny IE browsers from going into quirks mode + ; $route = $utopia->match($request); $scope = $route->getLabel('scope', ''); From c3472eaab93203166c92dfb4fdf99321cfd6aa93 Mon Sep 17 00:00:00 2001 From: Eldad Fux Date: Fri, 28 Aug 2020 15:21:41 +0300 Subject: [PATCH 2/2] Updated changelog --- CHANGES.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGES.md b/CHANGES.md index e27b89b088..3b3c93ea41 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -59,6 +59,7 @@ - Access to Health API now requires authentication with an API Key with access to `health.read` scope allowed - Added option to force HTTPS connection to the Appwrite server (_APP_OPTIONS_FORCE_HTTPS) - Now using your `_APP_SYSTEM_EMAIL_ADDRESS` as the email address for issuing and renewing SSL certificates +- Block iframe access to Appwrite console using the `X-Frame-Options` header. # Version 0.6.2 (PRE-RELEASE)