explain why we avoid iframing

2019-04-17 10:48:28 +02:00 · 2019-04-17 10:48:28 +02:00 · 0ac72104b8
parent 5cc772c48b
commit 0ac72104b8
1 changed files with 2 additions and 0 deletions
--- a/server.js
+++ b/server.js
@ -81,6 +81,8 @@ const init = async () => {
    if (!request.response.header) {
      return h.continue
    }
+    // Prevent site from being iframed since that might lead people to sniff
+    // out passwords
    request.response.header('X-FRAME-OPTIONS', 'deny')
    if (process.env.NODE_ENV !== 'test') {
      // CSP breaks browser-sync, so we ignore it for development