From eefeef1ee4e13b90f19d26df5c1c5bfda0e10658 Mon Sep 17 00:00:00 2001
From: Iain Sproat <68657+iainsproat@users.noreply.github.com>
Date: Thu, 25 Jul 2024 14:20:23 +0100
Subject: [PATCH] feat(server): adds content-security-policy header to server
 endpoints (#2500)

---
 packages/server/app.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/packages/server/app.ts b/packages/server/app.ts
index cba18dbc7..397f96599 100644
--- a/packages/server/app.ts
+++ b/packages/server/app.ts
@@ -334,6 +334,16 @@ export async function init() {
   app.use(errorLoggingMiddleware)
   app.use(authContextMiddleware)
   app.use(createRateLimiterMiddleware())
+  app.use(
+    async (
+      _req: express.Request,
+      res: express.Response,
+      next: express.NextFunction
+    ) => {
+      res.setHeader('Content-Security-Policy', "frame-ancestors 'none'")
+      next()
+    }
+  )
   app.use(mixpanelTrackerHelperMiddleware)
 
   app.use(Sentry.Handlers.errorHandler())