Merge pull request #1585 from raul/prevent-clickjacking

Require `X-Frame-Options: SAMEORIGIN` for clickjack prevention

Gemfile

@@ -116,6 +116,7 @@ gem 'therubyracer', require: 'v8'
 gem 'thin', require: false
 gem 'diffy', '>= 3.0', require: false
 gem 'highline', require: false
+gem 'rack-protection' # security
 
 # Gem that enables support for plugins. It is required.
 gem 'discourse_plugin', path: 'vendor/gems/discourse_plugin'

Gemfile.lock

@@ -522,6 +522,7 @@ DEPENDENCIES
   qunit-rails
   rack-cors
   rack-mini-profiler!
+  rack-protection
   rails (= 3.2.12)
   rails_multisite!
   rake

config/initializers/11-rack-protection.rb

@@ -0,0 +1,3 @@
+require 'rack/protection'
+
+Rails.configuration.middleware.use Rack::Protection::FrameOptions