On 2023/02/07 10:20, Peter J. Philipp wrote:
> Hi,
>
> Arslan Kabeer (on the Internet) made me aware of clickjacking being done on
> my site using OpenBSD httpd. This following patch implements a RFC 7034
> protection called "noiframe" which disallows other sites (but not the same
> site) to add an iframe to my site.
>
> The config change is like this:
>
> ----->
> location "/" {
> directory index index.html
> noiframe
Using a specific keyword for every site protection header that
somebody might want seems a bit much. (There are other settings for
x-frame-options, other headers like content-security-policy and
x-content-type-options, and various deprecated ones).
Wouldn't a general-purpose "set header X with the value Y" make
more sense?
