From f794b1eb1f31cabf2069fe211417f2aeb829ef01 Mon Sep 17 00:00:00 2001
From: Chris Meyers <chris.meyers.fsu@gmail.com>
Date: Tue, 3 Jan 2017 10:46:42 -0500
Subject: [PATCH] prevent click-jacking

---
 config/awx-nginx.conf | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/config/awx-nginx.conf b/config/awx-nginx.conf
index 759fc7eb5b..a87df125a9 100644
--- a/config/awx-nginx.conf
+++ b/config/awx-nginx.conf
@@ -76,6 +76,9 @@ http {
         # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
         add_header Strict-Transport-Security max-age=15768000;
 
+        # Protect against click-jacking https://www.owasp.org/index.php/Testing_for_Clickjacking_(OTG-CLIENT-009)
+        add_header X-Frame-Options "DENY";
+
         location /favicon.ico { alias /var/lib/awx/public/static/favicon.ico; }
         location /static { alias /var/lib/awx/public/static; }