report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
report_uri:
+security:
+ # Set the X-Frame-Options header to help to mitigate clickjacking attacks
+ frameguard:
+ enabled: true
+
tracker:
# If you disable the tracker, you disable the P2P aspect of PeerTube
enabled: true
report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
report_uri:
+security:
+ # Set the X-Frame-Options header to help to mitigate clickjacking attacks
+ frameguard:
+ enabled: true
+
tracker:
# If you disable the tracker, you disable the P2P aspect of PeerTube
enabled: true
if (CONFIG.CSP.ENABLED) {
app.use(baseCSP)
- app.use(helmet({
- frameguard: {
- action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
- },
- hsts: false
+}
+
+if (CONFIG.SECURITY.FRAMEGUARD.ENABLED) {
+ app.use(helmet.frameguard({
+ action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
}))
}
'log.level',
'user.video_quota', 'user.video_quota_daily',
'csp.enabled', 'csp.report_only', 'csp.report_uri',
+ 'security.frameguard.enabled',
'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled',
'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',
REPORT_ONLY: config.get<boolean>('csp.report_only'),
REPORT_URI: config.get<string>('csp.report_uri')
},
+ SECURITY: {
+ FRAMEGUARD: {
+ ENABLED: config.get<boolean>('security.frameguard.enabled')
+ }
+ },
TRACKER: {
ENABLED: config.get<boolean>('tracker.enabled'),
PRIVATE: config.get<boolean>('tracker.private'),
getConfig,
getCustomConfig,
killallServers,
+ makeGetRequest,
parallelTests,
registerUser,
reRunServer,
checkInitialConfig(server, data)
})
+ it('Should enable frameguard', async function () {
+ this.timeout(25000)
+
+ {
+ const res = await makeGetRequest({
+ url: server.url,
+ path: '/api/v1/config',
+ statusCodeExpected: 200
+ })
+
+ expect(res.headers['x-frame-options']).to.exist
+ }
+
+ killallServers([ server ])
+
+ const config = {
+ security: {
+ frameguard: { enabled: false }
+ }
+ }
+ server = await reRunServer(server, config)
+
+ {
+ const res = await makeGetRequest({
+ url: server.url,
+ path: '/api/v1/config',
+ statusCodeExpected: 200
+ })
+
+ expect(res.headers['x-frame-options']).to.not.exist
+ }
+ })
+
after(async function () {
await cleanupTests([ server ])
})