From 951d05ea188c98af3c8f5fcf20576228364598aa Mon Sep 17 00:00:00 2001
From: Nikita Pavlovskiy <nikita.pavlovskiy@fromjimmy.com>
Date: Wed, 23 Aug 2023 15:58:18 +0200
Subject: [PATCH] Improve web security

---
 .../infrastructure/spring/security/WebSecurityConfig.java     | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/backend/api/src/main/java/com/nikitades/carres/infrastructure/spring/security/WebSecurityConfig.java b/apps/backend/api/src/main/java/com/nikitades/carres/infrastructure/spring/security/WebSecurityConfig.java
index 832b0f4..e970815 100644
--- a/apps/backend/api/src/main/java/com/nikitades/carres/infrastructure/spring/security/WebSecurityConfig.java
+++ b/apps/backend/api/src/main/java/com/nikitades/carres/infrastructure/spring/security/WebSecurityConfig.java
@@ -8,6 +8,7 @@
 import org.springframework.security.config.Customizer;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer.FrameOptionsConfig;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
 import org.springframework.security.web.SecurityFilterChain;
@@ -22,7 +23,8 @@ public class WebSecurityConfig {
   public SecurityFilterChain filterChain(HttpSecurity http, MvcRequestMatcher.Builder mvc)
     throws Exception {
     http
-      .cors(Customizer.withDefaults())
+      .cors(Customizer.withDefaults()) //for h2
+      .headers(headers -> headers.frameOptions(FrameOptionsConfig::sameOrigin)) //for h2
       .csrf(csrf -> csrf.disable())
       .authorizeHttpRequests(requests -> {
         requests