Fixes #88 - Allow specifying X-FRAME-OPTIONS with an environment variable

doc/INSTALL.md

@@ -143,3 +143,23 @@ Password: changeme
 ```
 
 Immediately after logging in with this default user you will be asked to modify your details and change your password.
+
+
+### Advanced Options
+
+#### X-FRAME-OPTIONS Header
+
+You can configure the [`X-FRAME-OPTIONS`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) header
+value by specifying it as a Docker environment variable. The default if not specified is `deny`.
+
+```yml
+  ...
+  environment:
+    X_FRAME_OPTIONS: "sameorigin"
+  ...
+```
+
+```
+... -e "X_FRAME_OPTIONS=sameorigin" ...
+```
+

src/backend/app.js

@@ -40,11 +40,17 @@ app.use(require('./lib/express/cors'));
 
 // General security/cache related headers + server header
 app.use(function (req, res, next) {
+    let x_frame_options = 'DENY';
+
+    if (typeof process.env.X_FRAME_OPTIONS !== 'undefined' && process.env.X_FRAME_OPTIONS) {
+        x_frame_options = process.env.X_FRAME_OPTIONS;
+    }
+
     res.set({
         'Strict-Transport-Security': 'includeSubDomains; max-age=631138519; preload',
         'X-XSS-Protection':          '0',
         'X-Content-Type-Options':    'nosniff',
-        'X-Frame-Options':           'DENY',
+        'X-Frame-Options':           x_frame_options,
         'Cache-Control':             'no-cache, no-store, max-age=0, must-revalidate',
         Pragma:                      'no-cache',
         Expires:                     0

src/backend/index.js

@@ -1,7 +1,5 @@
 #!/usr/bin/env node
 
-'use strict';
-
 const logger = require('./logger').global;
 
 function appStart () {