server: set X-Frame-Options

tailscale · Mar 16, 2024 · 4356add · 4356add
1 parent 833de3c
commit 4356add
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/server/tailsql/tailsql.go b/server/tailsql/tailsql.go
@@ -286,6 +286,7 @@ func (s *Server) serveUI(w http.ResponseWriter, r *http.Request) {
 func (s *Server) serveUIInternal(w http.ResponseWriter, r *http.Request, caller, src, query string) error {
 	http.SetCookie(w, siteAccessCookie)
 	w.Header().Set("Content-Security-Policy", contentSecurityPolicy)
+	w.Header().Set("X-Frame-Options", "DENY")
 
 	// If a non-empty query is present, require either a site access cookie or a
 	// no-browsers header.