Hide Forgot
> Proposed title of this feature request Router settings for x-frame-options > What is the nature and description of the request? To prevent "click jacking attacks" the router should be able to DENY, allow rendering from SAMEORIGIN, or allow rendering from defined origins: ALLOW-FROM. > Why does the customer need this? (List the business requirements here) Customer needs this so that "security compliance checks" can be run on the platform, and pass security inspections. Customer needs the ability to "globally" set the x-frame-options for all application in the environment, and customize it per application if (necessary). > How would the customer like to achieve this? (List the functional requirements here) Customer would like to use router (ENV) settings or (annotations) to provide the needed configurations on the router or routes. > For each functional requirement listed, specify how Red Hat and the customer can test to confirm the requirement is successfully implemented. You should be able to test that "generic routes" (create with out annotations) get the correct x-frame-options. You should be able to test that "annotated" routes override this configuration. > Is there already an existing RFE upstream or in Red Hat Bugzilla? No > List any affected packages or components. HAProxy
HAProxy should be able to set X-Frame-Options with a configuration like the following: > http-response set-header X-Frame-Options DENY With that said, configuration that look for the existence of ENV variables, for global settings, and/or annotations (for specific routes), can allow you to customize the "value" portion of the header to match that of the RFC.
With a custom router template [1] and route annotations [2] you could do this in 3.3 Otherwise, this will not be added as a core feature before we move to the ingress object, and even then it won't happen within a year. [1] https://docs.openshift.com/enterprise/3.2/install_config/install/deploy_router.html#using-configmap-replace-template [2] If you look in the 3.3 router template you will see where it uses annotations to set options. You can follow that pattern to set the http-response header as you wish
Since we don't support custom router templates, we fall to the second case. So we aren't going to implement this on router, but may may add something like it for the upstream kubernetes ingress object. But that likely won't happen until at least late next year.