From 443543dba9e2d0d6033a2106f150edbbd10992bc Mon Sep 17 00:00:00 2001
From: Alex Grin <lyoshenka@users.noreply.github.com>
Date: Fri, 4 Sep 2020 13:04:00 -0400
Subject: [PATCH] block iframe embedding

protects against clickjacking attacks. I'm not sure if we have any data worth jacking (maybe the youtube form?) but we may in the future.
---
 view/Response.class.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/view/Response.class.php b/view/Response.class.php
index e2b586c1..ac1b5ab9 100644
--- a/view/Response.class.php
+++ b/view/Response.class.php
@@ -249,10 +249,10 @@ class Response
     public static function setDefaultSecurityHeaders()
     {
         $defaultHeaders = [
-      //'Content-Security-Policy' => "frame-ancestors 'none'",
-      //'X-Frame-Options'         => 'DENY',
-      'X-XSS-Protection'        => '1',
-    ];
+            'Content-Security-Policy' => "frame-ancestors 'none'",
+            'X-Frame-Options'         => 'DENY',
+            'X-XSS-Protection'        => '1',
+        ];
 
         if (IS_PRODUCTION) {
             $defaultHeaders['Strict-Transport-Security'] = 'max-age=31536000';