From 9197175ec4b157a03c5c89fdb4a09cae2e61aa56 Mon Sep 17 00:00:00 2001
From: Atharv Bhandare <atharvbhandare2001@gmail.com>
Date: Wed, 30 Apr 2025 13:29:52 +1000
Subject: [PATCH] Added security headers to prevent Click Jacking and XSS
 inside production/proxy-nginx.conf

---
 production/shared-files/proxy-nginx.conf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/production/shared-files/proxy-nginx.conf b/production/shared-files/proxy-nginx.conf
index b5537ae6e..12db037ab 100644
--- a/production/shared-files/proxy-nginx.conf
+++ b/production/shared-files/proxy-nginx.conf
@@ -31,6 +31,11 @@ http {
         ssl_certificate     /etc/nginx/cert.crt;
         ssl_certificate_key /etc/nginx/key.key;
 
+        # Security Headers added here to Prevent Clickjacking
+        add_header X-Frame-Options "DENY" always;
+        add_header Content-Security-Policy "default-src 'self'; frame-ancestors 'none';" always;
+        #Mentioning headers to prevent XSS attacks and not to load any <iframe> on to the page
+
         # All api requests go to rails server
         location /api {
           proxy_set_header        Host $host;