From f465bcce7e282ff6deed71b88d085ad10ad74808 Mon Sep 17 00:00:00 2001
From: D-K-P <8297864+D-K-P@users.noreply.github.com>
Date: Mon, 10 Feb 2025 13:37:09 +0000
Subject: [PATCH] Added X-Frame-Options and CSP

---
 apps/webapp/app/entry.server.tsx | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/apps/webapp/app/entry.server.tsx b/apps/webapp/app/entry.server.tsx
index 4a4330c9f2..5901d0a002 100644
--- a/apps/webapp/app/entry.server.tsx
+++ b/apps/webapp/app/entry.server.tsx
@@ -25,6 +25,13 @@ export default function handleRequest(
   responseHeaders: Headers,
   remixContext: EntryContext
 ) {
+  const url = new URL(request.url);
+
+  if (url.pathname.startsWith("/login")) {
+    responseHeaders.set("X-Frame-Options", "SAMEORIGIN");
+    responseHeaders.set("Content-Security-Policy", "frame-ancestors 'self'");
+  }
+
   const acceptLanguage = request.headers.get("accept-language");
   const locales = parseAcceptLanguage(acceptLanguage, {
     validate: Intl.DateTimeFormat.supportedLocalesOf,