X-Frame-Options

BTCPayServer/Controllers/InvoiceController.UI.cs

@@ -95,6 +95,7 @@ namespace BTCPayServer.Controllers
 		[Route("i/{invoiceId}")]
 		[Route("invoice")]
 		[AcceptMediaTypeConstraint("application/bitcoin-paymentrequest", false)]
+		[XFrameOptionsAttribute(null)]
 		public async Task<IActionResult> Checkout(string invoiceId, string id = null)
 		{
 			//Keep compatibility with Bitpay

BTCPayServer/Filters/XFrameOptionsAttribute.cs

@@ -0,0 +1,33 @@
+using Microsoft.AspNetCore.Mvc.Filters;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Threading.Tasks;
+
+namespace BTCPayServer.Filters
+{
+	public class XFrameOptionsAttribute : Attribute, IActionFilter
+	{
+		public XFrameOptionsAttribute(string value)
+		{
+			Value = value;
+		}
+		public string Value
+		{
+			get; set;
+		}
+		public void OnActionExecuted(ActionExecutedContext context)
+		{
+			
+		}
+
+		public void OnActionExecuting(ActionExecutingContext context)
+		{
+			var existing = context.HttpContext.Response.Headers["x-frame-options"].FirstOrDefault();
+			if(existing != null && Value == null)
+				context.HttpContext.Response.Headers.Remove("x-frame-options");
+			else
+				context.HttpContext.Response.Headers["x-frame-options"] = Value;
+		}
+	}
+}

BTCPayServer/Hosting/Startup.cs

@@ -74,7 +74,10 @@ namespace BTCPayServer.Hosting
 			// Big hack, tests fails because Hangfire fail at initializing at the second test run
 			AddHangfireFix(services);
 			services.AddBTCPayServer();
-			services.AddMvc();
+			services.AddMvc(o =>
+			{
+				o.Filters.Add(new XFrameOptionsAttribute("DENY"));
+			});
 		}
 
 		// Big hack, tests fails if only call AddHangfire because Hangfire fail at initializing at the second test run