Use whitelist for config.x_frame_options

2019-06-19 14:08:05 -05:00 · 2019-06-19 14:08:05 -05:00 · 73cd2124f2
parent 96ecddf32e
commit 73cd2124f2
1 changed files with 1 additions and 2 deletions
--- a/config/application.rb
+++ b/config/application.rb
@ -49,8 +49,7 @@ module FarmBot
    SecureHeaders::Configuration.default do |config|
      config.hsts = "max-age=#{1.week.to_i}"
      # We need this off in dev mode otherwise email previews won't show up.
-      puts "Don't forget to uncomment this!!!"
-      config.x_frame_options = "ALLOWALL" # if Rails.env.production?
+      config.x_frame_options = "ALLOW-FROM https://farm.bot" # For marketing demos
      config.x_content_type_options = "nosniff"
      config.x_xss_protection = "1; mode=block"
      config.x_download_options = "noopen"