Merge branch 'dz-api-x-frame' into 'security-9-2'

Restrict API X-Frame-Options to same origin See merge request !2103

Merge branch 'dz-api-x-frame' into 'security-9-2'
ac6ec8ac · Robert Speicher · Timothy Andrew · 200e8582 · ac6ec8ac · ac6ec8ac
Commit ac6ec8ac authored May 23, 2017 by Robert Speicher Committed by Timothy Andrew May 31, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

dz-api-x-frame.yml changelogs/unreleased/dz-api-x-frame.yml +4 -0

api.rb lib/api/api.rb +1 -0

No files found.
--- a/changelogs/unreleased/dz-api-x-frame.yml
+++ b/changelogs/unreleased/dz-api-x-frame.yml
+---
+title: Restrict API X-Frame-Options to same origin
+merge_request:
+author:
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -44,6 +44,7 @@ module API
    end

    before { allow_access_with_scope :api }
+    before { header['X-Frame-Options'] = 'SAMEORIGIN' }

    rescue_from Gitlab::Access::AccessDeniedError do
      rack_response({ 'message' => '403 Forbidden' }.to_json, 403)