diff --git a/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs b/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs index 9883fac12..fe8d71c95 100644 --- a/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs +++ b/backend/src/Squidex/Areas/IdentityServer/Config/IdentityServerServices.cs @@ -5,6 +5,7 @@ // All rights reserved. Licensed under the MIT license. // ========================================================================== +using Microsoft.AspNetCore.Antiforgery; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.DataProtection; using Microsoft.AspNetCore.DataProtection.KeyManagement; @@ -115,6 +116,13 @@ namespace Squidex.Areas.IdentityServer.Config options.UseAspNetCore(); }); + services.Configure((services, options) => + { + var identityOptions = services.GetRequiredService>().Value; + + options.SuppressXFrameOptionsHeader = identityOptions.SuppressXFrameOptionsHeader; + }); + services.Configure((services, options) => { var urlGenerator = services.GetRequiredService(); diff --git a/backend/src/Squidex/Config/MyIdentityOptions.cs b/backend/src/Squidex/Config/MyIdentityOptions.cs index 13ba019bb..57b79f1e6 100644 --- a/backend/src/Squidex/Config/MyIdentityOptions.cs +++ b/backend/src/Squidex/Config/MyIdentityOptions.cs @@ -73,6 +73,8 @@ namespace Squidex.Config public bool ShowPII { get; set; } + public bool SuppressXFrameOptionsHeader { get; set; } + public bool IsAdminConfigured() { return !string.IsNullOrWhiteSpace(AdminEmail) && !string.IsNullOrWhiteSpace(AdminPassword); diff --git a/backend/src/Squidex/Startup.cs b/backend/src/Squidex/Startup.cs index 88364e41d..857e1e15b 100644 --- a/backend/src/Squidex/Startup.cs +++ b/backend/src/Squidex/Startup.cs @@ -43,10 +43,8 @@ namespace Squidex services.AddSquidexIdentityServer(); services.AddSquidexAuthentication(config); - services.AddSquidexImageResizing(config); - services.AddSquidexAssetInfrastructure(config); - services.AddSquidexSerializers(); services.AddSquidexApps(config); + services.AddSquidexAssetInfrastructure(config); services.AddSquidexAssets(config); services.AddSquidexBackups(); services.AddSquidexCommands(config); @@ -58,6 +56,7 @@ namespace Squidex services.AddSquidexGraphQL(); services.AddSquidexHealthChecks(config); services.AddSquidexHistory(config); + services.AddSquidexImageResizing(config); services.AddSquidexInfrastructure(config); services.AddSquidexLocalization(); services.AddSquidexMigration(config); @@ -67,6 +66,7 @@ namespace Squidex services.AddSquidexRules(config); services.AddSquidexSchemas(); services.AddSquidexSearch(); + services.AddSquidexSerializers(); services.AddSquidexStoreServices(config); services.AddSquidexSubscriptions(config); services.AddSquidexTelemetry(config); diff --git a/backend/src/Squidex/appsettings.json b/backend/src/Squidex/appsettings.json index d8ef16e80..4e8667169 100644 --- a/backend/src/Squidex/appsettings.json +++ b/backend/src/Squidex/appsettings.json @@ -507,6 +507,9 @@ // Enable password auth. Set this to false if you want to disable local login, leaving only 3rd party login options. "allowPasswordAuth": true, + // Specifies whether to suppress the generation of X-Frame-Options header which is used to prevent ClickJacking. + "suppressXFrameOptionsHeader": false, + // Initial admin user. "adminEmail": "", "adminPassword": "",