How to prevent Clickjacking on Dex web app?

[ariary]

Hello all,

Context
In my company we are using Dex. We realized that the Dex web application is vulnerable to clickjacking attack (see more about clickjacking here).
An effective way to protect against Clickjacking (it is the recommandation to be exact), is to send Content Security Policy (CSP) frame-ancestors directive response headers.

Issue
We did not find a way to use this header with the Dex web app response.
We see that equivalent configs are in place for the CORS policy (with the AllowedOrigins field in the web config) and we were hoping something similar for CSP header as these two cases are similar as they allow us to set the security context of the web app.

This brings us to the question, how could we prevent Clickjacking on dex web app?

[rsmarples]

We have this in our yaml dex config:

  web:
    allowedOrigins: 
    - "http://localhost:9000"
    headers:
      Content-Security-Policy: "frame-ancestors 'none';"

Works great, we see the header added to the login page html returned.

[SEJeff]

Can this be added into the documentation?

[nabokihms]

I think we need help with this. If there is someone who can describe settings of the web section and add it here, PRs are welcomed.