From b8cddad4d3936f7a38ba709c4e9c506a7fe2b53e Mon Sep 17 00:00:00 2001
From: Cardinal <adriadrop@gmail.com>
Date: Wed, 11 Mar 2026 19:18:10 +0100
Subject: [PATCH] add clickjacking solutiion

---
 backend/README.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/backend/README.md b/backend/README.md
index 471e889..1b57a32 100644
--- a/backend/README.md
+++ b/backend/README.md
@@ -68,6 +68,10 @@ server {
     root /var/www/beeport/out/;
     index index.html;
 
+    # Clickjacking protection (X-Frame-Options + CSP frame-ancestors)
+    add_header X-Frame-Options "DENY" always;
+    add_header Content-Security-Policy "frame-ancestors 'none'" always;
+
     location / {
         try_files $uri /index.html;
     }
@@ -302,6 +306,17 @@ sudo nginx -t
 sudo systemctl reload nginx
 ```
 
+## Security: Clickjacking (X-Frame-Options)
+
+To prevent clickjacking, the nginx example includes:
+
+- **X-Frame-Options: DENY** – tells the browser not to render the site in a frame/iframe.
+- **Content-Security-Policy: frame-ancestors 'none'** – modern equivalent; use both for broad browser support.
+
+Set these once in the main HTTPS `server` block that serves the frontend HTML. They do not need to be duplicated in API proxy locations such as `/bzz`, `/stamps`, `/wallet`, `/tags`, or `/health`.
+
+If you serve Beeport from another host (e.g. beeport.ethswarm.org), ensure the same headers are set in that server’s nginx or CDN config so the app cannot be embedded in malicious iframes.
+
 ## Troubleshooting CORS Issues
 
 If you're still getting CORS errors, try these debugging steps: