From 144698a02fd003bc10271cc13de669c90084902d Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Fri, 18 Jun 2021 05:05:39 -0400
Subject: [PATCH] set up basic frame security headers

---
 nginx/nginx.conf | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index a9b31d5..e013f69 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -89,6 +89,8 @@ http {
         root /usr/share/webapps/element;
 
         include snippets/security-headers.conf;
+        add_header Content-Security-Policy "frame-ancestors 'self'";
+        add_header X-Frame-Options "SAMEORIGIN";
         add_header X-Robots-Tag "none";
     }
 
@@ -100,13 +102,19 @@ http {
         root /var/empty;
 
         include snippets/security-headers.conf;
+        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header X-Frame-Options "DENY";
 
         location = / {
             return 301 https://grapheneos.org/articles/grapheneos-servers#matrix.grapheneos.org;
         }
 
         location ~* ^(\/_matrix|\/_synapse\/client) {
+            proxy_hide_header Content-Security-Policy;
+            proxy_hide_header X-Frame-Options;
             include snippets/security-headers.conf;
+            add_header Content-Security-Policy "frame-ancestors 'none'";
+            add_header X-Frame-Options "DENY";
             add_header X-Robots-Tag "none";
 
             proxy_pass http://backend;