add appropriate x-frame options

.gitignore

@@ -6,3 +6,4 @@
 
 /tweety.json
 /dist/
+/tweety

.vscode/tasks.json

@@ -7,6 +7,29 @@
             "command": "npm run build",
             "options": {
                 "cwd": "${workspaceFolder}/frontend"
+            },
+            "group": {
+                "kind": "build"
+            }
+        },
+        {
+            "label": "build tweety",
+            "type": "shell",
+            "command": "go build -o tweety",
+            "group": {
+                "kind": "build"
+            }
+        },
+        {
+            "label": "build",
+            "dependsOn": [
+                "build frontend",
+                "build tweety"
+            ],
+            "dependsOrder": "sequence",
+            "group": {
+                "kind": "build",
+                "isDefault": true
             }
         }
     ]

frontend/index.html

@@ -10,7 +10,6 @@
     content="default-src 'self'; script-src 'self'; style-src 'self'; connect-src 'self' ws://localhost:* http://localhost:*">
   <meta http-equiv="X-XSS-Protection" content="1; mode=block">
   <meta http-equiv="X-Content-Type-Options" content="nosniff">
-  <meta http-equiv="X-Frame-Options" content="DENY">
   <title>Terminal</title>
 </head>
 

server.go

@@ -29,6 +29,11 @@ func NewHandler() (http.Handler, error) {
 	r.Use(func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			w.Header().Set("Access-Control-Allow-Private-Network", "true")
+			w.Header().Set("X-Frame-Options", "SAMEORIGIN")
+			w.Header().Set("X-Content-Type-Options", "nosniff")
+			w.Header().Set("X-XSS-Protection", "1; mode=block")
+			w.Header().Set("Referrer-Policy", "same-origin")
+			w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self';")
 			next.ServeHTTP(w, r)
 		})
 	})