From f0faacac44785ba79a6c5de6a9966a40e5c1487c Mon Sep 17 00:00:00 2001
From: Atharv Bhandare <atharvbhandare2001@gmail.com>
Date: Wed, 30 Apr 2025 12:35:44 +1000
Subject: [PATCH] Added security headers to prevent Click Jacking and XSS
 inside proxy-nginx.conf

---
 production/shared-files/proxy-nginx.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/production/shared-files/proxy-nginx.conf b/production/shared-files/proxy-nginx.conf
index b5537ae6e..12db037ab 100644
--- a/production/shared-files/proxy-nginx.conf
+++ b/production/shared-files/proxy-nginx.conf
@@ -31,6 +31,11 @@ http {
         ssl_certificate     /etc/nginx/cert.crt;
         ssl_certificate_key /etc/nginx/key.key;
 
+        # Security Headers added here to Prevent Clickjacking
+        add_header X-Frame-Options "DENY" always;
+        add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none';" always;
+        #Mentioning headers to prevent XSS attacks and not to load any <iframe> on to the page
+
         # All api requests go to rails server
         location /api {
           proxy_set_header        Host $host;