letsencrypt · pgporada · Jul 10, 2020 · Sep 28, 2023 · Sep 28, 2023 · Sep 28, 2023
diff --git a/config/_default/server.toml b/config/_default/server.toml
@@ -27,8 +27,10 @@ Permissions-Policy = """
 # "img-src data: blob:" is for Plotly download feature
 # "script-src unsafe-eval unsafe-inline data:": For Google Analytics
 # "form-action" is NOT set, so it allows everything (it doesn't default to default-src). If restricted, It must allow at least www.paypal.com and its redirects
+# "frame-ancestors" is a modern equivalent and successor to the X-Frame-Options header
 Content-Security-Policy = """
     default-src 'none';
+    frame-ancestors 'none';
     font-src 'self';
     style-src 'unsafe-inline' 'self';
     script-src 'unsafe-eval' 'unsafe-inline' 'self' data:

diff --git a/netlify.toml b/netlify.toml
@@ -36,8 +36,10 @@ Permissions-Policy = """
 # "img-src data: blob:" is for Plotly download feature
 # "script-src unsafe-eval unsafe-inline data:": For Google Analytics
 # "form-action" is NOT set, so it allows everything (it doesn't default to default-src). If restricted, It must allow at least www.paypal.com and its redirects
+# "frame-ancestors" is a modern equivalent and successor to the X-Frame-Options header
 Content-Security-Policy = """
     default-src 'none';
+    frame-ancestors 'none';
     font-src 'self';
     style-src 'unsafe-inline' 'self';
     script-src 'unsafe-eval' 'unsafe-inline' 'self' data: