From aef49cb8d65681c5a6afcb9315b1ecb8c0631b0c Mon Sep 17 00:00:00 2001
From: Deluan <deluan@navidrome.org>
Date: Thu, 2 May 2024 12:12:19 -0400
Subject: [PATCH] Add `HTTPSecurityHeaders.CustomFrameOptionsValue` option.

Requested in https://github.com/navidrome/navidrome/issues/248#issuecomment-1783768985
---
 conf/configuration.go | 7 +++++++
 server/middlewares.go | 9 +++++----
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/conf/configuration.go b/conf/configuration.go
index db14f84cb..8bf011599 100644
--- a/conf/configuration.go
+++ b/conf/configuration.go
@@ -80,6 +80,7 @@ type configOptions struct {
 	PasswordEncryptionKey        string
 	ReverseProxyUserHeader       string
 	ReverseProxyWhitelist        string
+	HTTPSecurityHeaders          secureOptions
 	Prometheus                   prometheusOptions
 	Scanner                      scannerOptions
 	Jukebox                      jukeboxOptions
@@ -130,6 +131,10 @@ type listenBrainzOptions struct {
 	BaseURL string
 }
 
+type secureOptions struct {
+	CustomFrameOptionsValue string
+}
+
 type prometheusOptions struct {
 	Enabled     bool
 	MetricsPath string
@@ -350,6 +355,8 @@ func init() {
 	viper.SetDefault("listenbrainz.enabled", true)
 	viper.SetDefault("listenbrainz.baseurl", "https://api.listenbrainz.org/1/")
 
+	viper.SetDefault("httpsecurityheaders.customframeoptionsvalue", "DENY")
+
 	// DevFlags. These are used to enable/disable debugging and incomplete features
 	viper.SetDefault("devlogsourceline", false)
 	viper.SetDefault("devenableprofiler", false)
diff --git a/server/middlewares.go b/server/middlewares.go
index 7bbfbd0d6..dd4d62660 100644
--- a/server/middlewares.go
+++ b/server/middlewares.go
@@ -98,10 +98,11 @@ func corsHandler() func(http.Handler) http.Handler {
 
 func secureMiddleware() func(http.Handler) http.Handler {
 	sec := secure.New(secure.Options{
-		ContentTypeNosniff: true,
-		FrameDeny:          true,
-		ReferrerPolicy:     "same-origin",
-		PermissionsPolicy:  "autoplay=(), camera=(), microphone=(), usb=()",
+		ContentTypeNosniff:      true,
+		FrameDeny:               true,
+		ReferrerPolicy:          "same-origin",
+		PermissionsPolicy:       "autoplay=(), camera=(), microphone=(), usb=()",
+		CustomFrameOptionsValue: conf.Server.HTTPSecurityHeaders.CustomFrameOptionsValue,
 		//ContentSecurityPolicy: "script-src 'self' 'unsafe-inline'",
 	})
 	return sec.Handler