From 110dbd9acd2e1d4912b03dcdab67586b8357f363 Mon Sep 17 00:00:00 2001
From: Prateek Shourya <prateekshourya29@gmail.com>
Date: Fri, 9 Jan 2026 04:03:41 +0530
Subject: [PATCH] [VPAT-50] chore(security): add X-Frame-Options header to
 nginx configuration to prevent clickjacking attacks (#8507)

* [VPAT-50] chore(security): add X-Frame-Options header to nginx configuration to prevent clickjacking attacks

* [SECURITY] chore: enhance nginx configuration with additional security headers
---
 apps/admin/nginx/nginx.conf | 6 ++++++
 apps/web/nginx/nginx.conf   | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/apps/admin/nginx/nginx.conf b/apps/admin/nginx/nginx.conf
index 243aebff5..0fd4a192a 100644
--- a/apps/admin/nginx/nginx.conf
+++ b/apps/admin/nginx/nginx.conf
@@ -20,6 +20,12 @@ http {
   server {
     listen 3000;
 
+    # Security headers
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
     location / {
       root   /usr/share/nginx/html;
       index  index.html index.htm;
diff --git a/apps/web/nginx/nginx.conf b/apps/web/nginx/nginx.conf
index 160fcb9be..34e07ba4b 100644
--- a/apps/web/nginx/nginx.conf
+++ b/apps/web/nginx/nginx.conf
@@ -20,6 +20,12 @@ http {
   server {
     listen 3000;
 
+    # Security headers
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+
     location / {
       root   /usr/share/nginx/html;
       index  index.html index.htm;