From a23fb0f209106c0759d4209b3d23d5d21667e7ca Mon Sep 17 00:00:00 2001
From: Philipp Rothmann <philipprothmann@posteo.de>
Date: Mon, 12 Sep 2022 10:56:11 +0200
Subject: [PATCH] add headers to embed authentik in iframes

---
 .env.sample | 2 ++
 compose.yml | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/.env.sample b/.env.sample
index 2c75e0e..cb29b98 100644
--- a/.env.sample
+++ b/.env.sample
@@ -31,3 +31,5 @@ AUTHENTIK_LOG_LEVEL=info
 # SECRET_SECRET_KEY_VERSION=v1
 # SECRET_ADMIN_TOKEN_VERSION=v1
 # SECRET_ADMIN_PASS_VERSION=v1
+
+# X_FRAME_OPTIONS_ALLOW_FROM=dashboard.example.org
diff --git a/compose.yml b/compose.yml
index 9e3f5fc..6bc90c3 100644
--- a/compose.yml
+++ b/compose.yml
@@ -55,6 +55,11 @@ services:
         - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)"
         - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure"
         - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}"
+        - "traefik.http.routers.${STACK_NAME}.middlewares=${STACK_NAME}-redirect,${STACK_NAME}-frameOptions"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLForceHost=true"
+        - "traefik.http.middlewares.${STACK_NAME}-redirect.headers.SSLHost=${DOMAIN}"
+        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.customFrameOptionsValue=SAMEORIGIN"
+        - "traefik.http.middlewares.${STACK_NAME}-frameOptions.headers.contentSecurityPolicy=frame-ancestors ${X_FRAME_OPTIONS_ALLOW_FROM}"
         - "coop-cloud.${STACK_NAME}.version=0.3.0+2022.7.3"
 
   worker: