From 3719b5ad2f7b49f7d763ffcd21f368bfeef9fde0 Mon Sep 17 00:00:00 2001
From: atharv2-git <atharvsbhandare@gmail.com>
Date: Fri, 20 Jun 2025 11:13:36 +1000
Subject: [PATCH] added security headers inside production/proxy-nginx.conf to
 avoid clickjacking and xss attacks

---
 production/shared-files/proxy-nginx.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/production/shared-files/proxy-nginx.conf b/production/shared-files/proxy-nginx.conf
index b5537ae6e..12db037ab 100644
--- a/production/shared-files/proxy-nginx.conf
+++ b/production/shared-files/proxy-nginx.conf
@@ -31,6 +31,11 @@ http {
         ssl_certificate     /etc/nginx/cert.crt;
         ssl_certificate_key /etc/nginx/key.key;
 
+        # Security Headers added here to Prevent Clickjacking
+        add_header X-Frame-Options "DENY" always;
+        add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none';" always;
+        #Mentioning headers to prevent XSS attacks and not to load any <iframe> on to the page
+
         # All api requests go to rails server
         location /api {
           proxy_set_header        Host $host;