allow strict transport if ssl is on and stop x-frame-options, this might break embedded pads, please test

1 files changed, 6 insertions, 1 deletions

diff --git a/src/node/hooks/express.js b/src/node/hooks/express.js
index 34baca40..7e9546c2 100644
--- a/src/node/hooks/express.js
+++ b/src/node/hooks/express.js
@@ -27,7 +27,7 @@ exports.createServer = function () {
   }
   console.log("Report bugs at https://github.com/ether/etherpad-lite/issues")
 
-  serverName = "Etherpad-Lite " + version + " (http://etherpad.org)";
+  serverName = "Etherpad " + version + " (http://etherpad.org)";
 
   exports.restartServer();
 
@@ -71,6 +71,11 @@ exports.restartServer = function () {
   }
 
   app.use(function (req, res, next) {
+    res.header("X-Frame-Options", "deny");
+    if(settings.ssl){ // if we use SSL
+      res.header("X-Frame-Options", "max-age=31536000; includeSubDomains");
+    }
+
     res.header("Server", serverName);
     next();
   });