restrict iframe usage to mitigate clickjacking

gchartier · gchartier · commit acacc34fbc5c · 2025-07-21T10:04:17.000-05:00
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "orcfax.io",
-    "version": "2025-05-20",
+    "version": "2025-07-21",
     "private": true,
     "scripts": {
         "dev": "vite dev",
diff --git a/src/hooks.server.ts b/src/hooks.server.ts
@@ -0,0 +1,9 @@
+import type { Handle } from "@sveltejs/kit";
+
+export const handle: Handle = async ({ event, resolve }) => {
+    const response = await resolve(event);
+    response.headers.set("X-Frame-Options", "SAMEORIGIN");
+    response.headers.set("Content-Security-Policy", "frame-ancestors 'none'");
+
+    return response;
+};
