From a372d7d4e77b6b43e5c7474494bd1c2aaeb41f6d Mon Sep 17 00:00:00 2001
From: David Hoppenbrouwers <david@salt-inc.org>
Date: Wed, 1 Feb 2023 12:02:08 +0100
Subject: [PATCH] Forbid iframes

This prevents clickjacking attacks.
---
 main.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/main.py b/main.py
index b6c47fc..df78fb3 100644
--- a/main.py
+++ b/main.py
@@ -33,6 +33,13 @@ class Role:
     MODERATOR = 1
     ADMIN = 2
 
+@app.after_request
+def after_request(response):
+    # This forbids other sites from embedding this site in an iframe,
+    # preventing clickjacking attacks.
+    response.headers['X-Frame-Options'] = 'DENY'
+    return response
+
 @app.route('/')
 def index():
     return render_template(