mirror of
https://github.com/TryGhost/Ghost.git
synced 2024-12-21 09:52:06 +03:00
f88adb9180
no issue
- by default the `/ghost/` route will add an `x-frame-options: sameorigin` header to the response to help protect the admin area against clickjacking
- the header can be disabled by adding `"adminFrameProtection": false` to the `config.{env}.json` configuration file
Credits: Muhammad Fawwad Obaida
34 lines
1.0 KiB
JavaScript
34 lines
1.0 KiB
JavaScript
const debug = require('ghost-ignition').debug('web:admin:controller');
|
|
const path = require('path');
|
|
const config = require('../../config');
|
|
const updateCheck = require('../../update-check');
|
|
const common = require('../../lib/common');
|
|
|
|
/**
|
|
* @description Admin controller to handle /ghost/ requests.
|
|
*
|
|
* Every request to the admin panel will re-trigger the update check service.
|
|
*
|
|
* @param req
|
|
* @param res
|
|
*/
|
|
module.exports = function adminController(req, res) {
|
|
debug('index called');
|
|
|
|
// CASE: trigger update check unit and let it run in background, don't block the admin rendering
|
|
updateCheck()
|
|
.catch((err) => {
|
|
common.logging.error(err);
|
|
});
|
|
|
|
const defaultTemplate = config.get('env') === 'production' ? 'default-prod.html' : 'default.html';
|
|
const templatePath = path.resolve(config.get('paths').adminViews, defaultTemplate);
|
|
const headers = {};
|
|
|
|
if (config.get('adminFrameProtection')) {
|
|
headers['X-Frame-Options'] = 'sameorigin';
|
|
}
|
|
|
|
res.sendFile(templatePath, {headers});
|
|
};
|