app-backend: disallow all iframe embedding of the app

Signed-off-by: Patrik Oldsberg <poldsberg@gmail.com>
backstage · Dec 29, 2021 · 9d9cfc1 · 9d9cfc1
1 parent 0fdac13
commit 9d9cfc1
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 0 deletions.
diff --git a/.changeset/honest-chefs-mate.md b/.changeset/honest-chefs-mate.md
@@ -0,0 +1,5 @@
+---
+'@backstage/plugin-app-backend': patch
+---
+
+Set `X-Frame-Options: deny` rather than the default `sameorigin` for all content served by the `app-backend`.`
diff --git a/plugins/app-backend/package.json b/plugins/app-backend/package.json
@@ -38,6 +38,7 @@
     "express": "^4.17.1",
     "express-promise-router": "^4.1.0",
     "fs-extra": "9.1.0",
+    "helmet": "^4.0.0",
     "winston": "^3.2.1",
     "yn": "^4.0.0"
   },

diff --git a/plugins/app-backend/src/service/router.ts b/plugins/app-backend/src/service/router.ts
@@ -16,6 +16,7 @@
 
 import { notFoundHandler, resolvePackagePath } from '@backstage/backend-common';
 import { Config } from '@backstage/config';
+import helmet from 'helmet';
 import express from 'express';
 import Router from 'express-promise-router';
 import fs from 'fs-extra';
@@ -89,6 +90,8 @@ export async function createRouter(
 
   const router = Router();
 
+  router.use(helmet.frameguard({ action: 'deny' }));
+
   // Use a separate router for static content so that a fallback can be provided by backend
   const staticRouter = Router();
   staticRouter.use(express.static(resolvePath(appDistDir, 'static')));