Add frame-options option

.github/workflows/cd/cloudretro.io/config.yaml

@@ -4,6 +4,7 @@ coordinator:
   debug: true
   server:
     address:
+    frameOptions: SAMEORIGIN
     https: true
     tls:
       domain: cloudretro.io

pkg/config/config.yaml

@@ -60,6 +60,7 @@ coordinator:
   server:
     address: :8000
     cacheControl: "max-age=259200, must-revalidate"
+    frameOptions: ""
     https: false
     # Letsencrypt or self cert config
     tls:

pkg/config/shared.go

@@ -32,6 +32,7 @@ func (c *Monitoring) IsEnabled() bool { return c.MetricEnabled || c.ProfilingEna
 type Server struct {
 	Address      string
 	CacheControl string
+	FrameOptions string
 	Https        bool
 	Tls          struct {
 		Address   string

pkg/coordinator/coordinator.go

@@ -95,6 +95,9 @@ func index(conf config.CoordinatorConfig, log *logger.Logger) httpx.Handler {
 			if conf.Coordinator.Server.CacheControl != "" {
 				w.Header().Add("Cache-Control", conf.Coordinator.Server.CacheControl)
 			}
+			if conf.Coordinator.Server.FrameOptions != "" {
+				w.Header().Add("X-Frame-Options", conf.Coordinator.Server.FrameOptions)
+			}
 			if r.URL.Path == "/" || strings.HasSuffix(r.URL.Path, "/index.html") {
 				tpl := template.Must(template.ParseFiles(indexHTML))
 				handler(tpl, w, r)
@@ -108,6 +111,9 @@ func index(conf config.CoordinatorConfig, log *logger.Logger) httpx.Handler {
 		if conf.Coordinator.Server.CacheControl != "" {
 			w.Header().Add("Cache-Control", conf.Coordinator.Server.CacheControl)
 		}
+		if conf.Coordinator.Server.FrameOptions != "" {
+			w.Header().Add("X-Frame-Options", conf.Coordinator.Server.FrameOptions)
+		}
 		if r.URL.Path == "/" || strings.HasSuffix(r.URL.Path, "/index.html") {
 			handler(indexTpl, w, r)
 			return