I can’t find head.html.
I’m running mattermost on a debian/apache2 server.
They only reference to antiClickjack is found in the file
‘/opt/mattermost/webapp/dist/52.2ebba305a3f129d699b9.js’ and it seems a bit messy to fool around it.
There is an option in apache (security.conf), with mod_headers enabled.
I’m gonna try it, but I have low expectation since mattermost java code calls for an “antiClickjack” object.
Otherwise, in the source code, I found something interesting in ./api/files.go
Here are the lines 522-541
func writeFileResponse(filename string, contentType string, bytes byte, w http.ResponseWriter, r *http.Request) *mo
del.AppError {
w.Header().Set(“Cache-Control”, “max-age=2592000, public”)
w.Header().Set(“Content-Length”, strconv.Itoa(len(bytes)))
if contentType != "" { w.Header().Set("Content-Type", contentType) } else { w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer }
w.Header().Set("Content-Disposition", "attachment;filename=\""+filename+"\"; filename*=UTF-8''"+url.QueryEscape(filename))
// prevent file links from being embedded in iframes w.Header().Set("X-Frame-Options", "DENY") w.Header().Set("Content-Security-Policy", "Frame-ancestors 'none'")
w.Write(bytes)
return nil