From 01dd12f56727af1b5eeded716f0d1a707769b0f3 Mon Sep 17 00:00:00 2001
From: Eric Nemchik <eric@nemchik.com>
Date: Thu, 29 Oct 2020 10:13:55 -0500
Subject: [PATCH] Set frame-ancestors in Content-Security-Policy

https://infosec.mozilla.org/guidelines/web_security#x-frame-options
---
 root/defaults/ssl.conf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/root/defaults/ssl.conf b/root/defaults/ssl.conf
index 89099aa..ca6a007 100644
--- a/root/defaults/ssl.conf
+++ b/root/defaults/ssl.conf
@@ -40,7 +40,7 @@ ssl_early_data on;
 
 # Optional additional headers
 #add_header Cache-Control "no-transform" always;
-#add_header Content-Security-Policy "upgrade-insecure-requests";
+#add_header Content-Security-Policy "upgrade-insecure-requests; frame-ancestors 'self'";
 #add_header Referrer-Policy "same-origin" always;
 #add_header X-Content-Type-Options "nosniff" always;
 #add_header X-Frame-Options "SAMEORIGIN" always;