[Feature Request]: Protection against ClickJacking --> X-Frame-Options "SAMEORIGIN"

[phulstaert]

Problem description (Describe the problem you would like to solve with this feature request or suggested idea).
Click-Jacking is one of the "big dangers" of the internet and is very easy to deal with. A lot of security tools flag websites or webapps that are vulnerable to this threat. RedisInsight is one of the vulnerable apps...

How often do you encounter this problem (Describe how frequently this problem occurs).
Every time our security department does an automated test. (read: a lot...)

Alternatives considered (Describe any alternative features or products you've considered).
You could deal with it in your reverse proxy, but why leave it open when you can deal with it at the source of the issue...

Additional information (Add any other context or details here).
The solution is adding a header element "X-Frame-Options" with value "SAMEORIGIN".

In nginx this would read as

add_header X-Frame-Options SAMEORIGIN always;

I don't know anything about how RedisInsight is structured, but i would guess something in the likes of adding

res.setHeader('X-Frame-Options', 'SAMEORIGIN');

to the file '/opt/redis-stack/share/redisinsight/api/node_modules/express/lib/middleware/init.js'.
But another location would be possible too I guess... It should be included on every visible webpage.

There are other modules that do this for you (and they do other stuff as well) like helmet.js; this would be the better option, but require more testing and implementation-time.

[phulstaert]

Well, it is not really a feature, but safety is important "feature" of any application.

[ViktarStarastsenka]

@phulstaert , thanks for reporting this.
the issue will be fixed with 2.54 (late July).