Selective route permission to use embeds, fixes #322 in a better way (#364)

1 files changed, 6 insertions, 0 deletions

diff --git a/support/nginx/peertube b/support/nginx/peertube
index e94eac5e8..bde0b18e8 100644
--- a/support/nginx/peertube
+++ b/support/nginx/peertube
@@ -38,6 +38,7 @@ server {
   # resolver_timeout 5s;
 
   add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+  add_header X-Frame-Options DENY;
   add_header X-Content-Type-Options nosniff;
   add_header X-XSS-Protection "1; mode=block";
   add_header X-Robots-Tag none;
@@ -103,6 +104,11 @@ server {
     alias /var/www/peertube/storage/videos;
   }
 
+  # Allow embeds
+  location /videos/embed {
+    proxy_hide_header X-Frame-Options;
+  }
+
   # Websocket tracker
   location /tracker/socket {
     # Peers send a message to the tracker every 15 minutes