From c17b4813460c3ab57afba7d8bdfcc6aae9bf4065 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Sun, 18 Jan 2026 13:41:20 +0000
Subject: [PATCH] disallow my sites from being iframed [ci skip]

---
 modules/kubernetes/ingress_factory/main.tf | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf
index 89e8bc7c..6a871afd 100644
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@@ -119,6 +119,8 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
       "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
       limit_req_status 429;
       limit_conn_status 429;
+      # Prevent iframe embedding (clickjacking protection) - allow subdomains only
+      add_header Content-Security-Policy "frame-ancestors 'self' *.viktorbarzin.me viktorbarzin.me" always;
       ${var.rybbit_site_id != null ? <<-JS
         # Rybbit Analytics
         # Only modify HTML