From c3702761987ff90ca0699ef70fa6ac68daa12d1f Mon Sep 17 00:00:00 2001
From: David Christofas <dchristofas@owncloud.com>
Date: Thu, 30 Sep 2021 14:00:21 +0200
Subject: [PATCH] add some information about the security headers

---
 ocis-pkg/middleware/header.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ocis-pkg/middleware/header.go b/ocis-pkg/middleware/header.go
index f8b12a7fed..a9a33dac98 100644
--- a/ocis-pkg/middleware/header.go
+++ b/ocis-pkg/middleware/header.go
@@ -35,11 +35,15 @@ func Cors(next http.Handler) http.Handler {
 // Secure writes required access headers to all requests.
 func Secure(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Access-Control-Allow-Origin", "*")
+		// Indicates whether the browser is allowed to render this page in a <frame>, <iframe>, <embed> or <object>.
 		w.Header().Set("X-Frame-Options", "DENY")
+		// Does basically the same as X-Frame-Options.
+		w.Header().Set("Content-Security-Policy", "frame-ancestors 'none'")
+		// This header inidicates that MIME types advertised in the Content-Type headers should not be changed and be followed.
 		w.Header().Set("X-Content-Type-Options", "nosniff")
 
 		if r.TLS != nil {
+			// Tell browsers that the website should only be accessed  using HTTPS.
 			w.Header().Set("Strict-Transport-Security", "max-age=31536000")
 		}