From 95690230831ec9fa0c516c268419931722aab62c Mon Sep 17 00:00:00 2001
From: Atharv Bhandare <atharvbhandare2001@gmail.com>
Date: Tue, 29 Apr 2025 01:05:19 +1000
Subject: [PATCH] Added security headers including X-Frame Options along with
 Content-Security-Policy to avoid ClickJacking and XSS attack under
 doubtfire-deploy > proxy-nginx

---
 production/shared-files/proxy-nginx.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/production/shared-files/proxy-nginx.conf b/production/shared-files/proxy-nginx.conf
index b5537ae6e..92f10ec36 100644
--- a/production/shared-files/proxy-nginx.conf
+++ b/production/shared-files/proxy-nginx.conf
@@ -31,6 +31,11 @@ http {
         ssl_certificate     /etc/nginx/cert.crt;
         ssl_certificate_key /etc/nginx/key.key;
 
+        # Security Headers to Prevent Clickjacking
+        add_header X-Frame-Options "DENY" always;
+        add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none';" always;
+        #Mentioning headers to prevent XSS attacks and not to load any <iframe> on to the page
+
         # All api requests go to rails server
         location /api {
           proxy_set_header        Host $host;