From e1d1a5240c98a427f2ef10f2a7cbee0c9a883834 Mon Sep 17 00:00:00 2001
From: DJ Mountney <david@twkie.net>
Date: Thu, 8 Jun 2017 09:54:24 -0700
Subject: Merge branch 'dz-api-x-frame' into 'security-9-2'

Restrict API X-Frame-Options to same origin

See merge request !2103
---
 lib/api/api.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/api/api.rb b/lib/api/api.rb
index 88f91c07194..d767af36e8e 100644
--- a/lib/api/api.rb
+++ b/lib/api/api.rb
@@ -45,6 +45,7 @@ module API
     end
 
     before { allow_access_with_scope :api }
+    before { header['X-Frame-Options'] = 'SAMEORIGIN' }
     before { Gitlab::I18n.locale = current_user&.preferred_language }
 
     after { Gitlab::I18n.use_default_locale }
-- 
cgit v1.2.1