paulononato/backstage
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

app-backend: disallow all iframe embedding of the app

Browse Source 
Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
This commit is contained in:
Patrik Oldsberg
2021-12-29 11:45:20 +01:00
parent 0fdac13e7d
commit 9d9cfc1b8a
3 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.changeset/honest-chefs-mate.md
+5
View File
@@ -0,0 +1,5 @@
---
'@backstage/plugin-app-backend': patch
---
Set `X-Frame-Options: deny` rather than the default `sameorigin` for all content served by the `app-backend`.`
plugins/app-backend/package.json
+1
View File
@@ -38,6 +38,7 @@
"express": "^4.17.1",
"express-promise-router": "^4.1.0",
"fs-extra": "9.1.0",
"helmet": "^4.0.0",
"winston": "^3.2.1",
"yn": "^4.0.0"
},
plugins/app-backend/src/service/router.ts
+3
View File
@@ -16,6 +16,7 @@
import { notFoundHandler, resolvePackagePath } from '@backstage/backend-common';
import { Config } from '@backstage/config';
import helmet from 'helmet';
import express from 'express';
import Router from 'express-promise-router';
import fs from 'fs-extra';
@@ -89,6 +90,8 @@ export async function createRouter(
const router = Router();
router.use(helmet.frameguard({ action: 'deny' }));
// Use a separate router for static content so that a fallback can be provided by backend
const staticRouter = Router();
staticRouter.use(express.static(resolvePath(appDistDir, 'static')));