Dissociate frameguard from csp

config/default.yaml

@@ -153,6 +153,11 @@ csp:
   report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
   report_uri:
 
+security:
+  # Set the X-Frame-Options header to help to mitigate clickjacking attacks
+  frameguard:
+    enabled: true
+
 tracker:
   # If you disable the tracker, you disable the P2P aspect of PeerTube
   enabled: true

config/production.yaml.example

@@ -151,6 +151,11 @@ csp:
   report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
   report_uri:
 
+security:
+  # Set the X-Frame-Options header to help to mitigate clickjacking attacks
+  frameguard:
+    enabled: true
+
 tracker:
   # If you disable the tracker, you disable the P2P aspect of PeerTube
   enabled: true

server.ts

@@ -59,11 +59,11 @@ import { baseCSP } from './server/middlewares/csp'
 
 if (CONFIG.CSP.ENABLED) {
   app.use(baseCSP)
-  app.use(helmet({
-    frameguard: {
-      action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
-    },
-    hsts: false
+}
+
+if (CONFIG.SECURITY.FRAMEGUARD.ENABLED) {
+  app.use(helmet.frameguard({
+    action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
   }))
 }
 

server/initializers/checker-before-init.ts

@@ -17,6 +17,7 @@ function checkMissedConfig () {
     'log.level',
     'user.video_quota', 'user.video_quota_daily',
     'csp.enabled', 'csp.report_only', 'csp.report_uri',
+    'security.frameguard.enabled',
     'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled',
     'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
     'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',

server/initializers/config.ts

@@ -134,6 +134,11 @@ const CONFIG = {
     REPORT_ONLY: config.get<boolean>('csp.report_only'),
     REPORT_URI: config.get<string>('csp.report_uri')
   },
+  SECURITY: {
+    FRAMEGUARD: {
+      ENABLED: config.get<boolean>('security.frameguard.enabled')
+    }
+  },
   TRACKER: {
     ENABLED: config.get<boolean>('tracker.enabled'),
     PRIVATE: config.get<boolean>('tracker.private'),

server/tests/api/server/config.ts

@@ -12,6 +12,7 @@ import {
   getConfig,
   getCustomConfig,
   killallServers,
+  makeGetRequest,
   parallelTests,
   registerUser,
   reRunServer,
@@ -508,6 +509,39 @@ describe('Test config', function () {
     checkInitialConfig(server, data)
   })
 
+  it('Should enable frameguard', async function () {
+    this.timeout(25000)
+
+    {
+      const res = await makeGetRequest({
+        url: server.url,
+        path: '/api/v1/config',
+        statusCodeExpected: 200
+      })
+
+      expect(res.headers['x-frame-options']).to.exist
+    }
+
+    killallServers([ server ])
+
+    const config = {
+      security: {
+        frameguard: { enabled: false }
+      }
+    }
+    server = await reRunServer(server, config)
+
+    {
+      const res = await makeGetRequest({
+        url: server.url,
+        path: '/api/v1/config',
+        statusCodeExpected: 200
+      })
+
+      expect(res.headers['x-frame-options']).to.not.exist
+    }
+  })
+
   after(async function () {
     await cleanupTests([ server ])
   })