fix: clickjacking (#18516)

Signed-off-by: -LAN- <laipz8200@outlook.com> Co-authored-by: -LAN- <laipz8200@outlook.com>
2025-04-22 16:48:45 +08:00
parent a1158cc946
commit 3737e0b087
8 changed files with 37 additions and 15 deletions
--- a/web/.env.example
+++ b/web/.env.example
@@ -29,6 +29,8 @@ NEXT_PUBLIC_TEXT_GENERATION_TIMEOUT_MS=60000

 # CSP https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
 NEXT_PUBLIC_CSP_WHITELIST=
+# Default is not allow to embed into iframe to prevent Clickjacking: https://owasp.org/www-community/attacks/Clickjacking
+NEXT_PUBLIC_ALLOW_EMBED=

 # Github Access Token, used for invoking Github API
 NEXT_PUBLIC_GITHUB_ACCESS_TOKEN=