Server: Security: Implement clickjacking defense

packages/server/src/app.ts

@@ -18,6 +18,7 @@ import { initializeJoplinUtils } from './utils/joplinUtils';
 import startServices from './utils/startServices';
 import { credentialFile } from './utils/testing/testUtils';
 import apiVersionHandler from './middleware/apiVersionHandler';
+import clickJackingHandler from './middleware/clickJackingHandler';
 
 const cors = require('@koa/cors');
 const nodeEnvFile = require('node-env-file');
@@ -171,6 +172,7 @@ async function main() {
 	app.use(apiVersionHandler);
 	app.use(ownerHandler);
 	app.use(notificationHandler);
+	app.use(clickJackingHandler);
 	app.use(routeHandler);
 
 	await initConfig(env, envVariables);

packages/server/src/middleware/clickJackingHandler.ts

@@ -0,0 +1,8 @@
+import { AppContext, KoaNext } from '../utils/types';
+
+export default async function(ctx: AppContext, next: KoaNext): Promise<void> {
+	// https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
+	ctx.response.set('Content-Security-Policy', 'frame-ancestors \'none\'');
+	ctx.response.set('X-Frame-Options', 'DENY');
+	return next();
+}