From bd5fe86c879d4fe5a39639f06b0de2799d499e15 Mon Sep 17 00:00:00 2001
From: Raul Murciano <raul@murciano.net>
Date: Mon, 28 Oct 2013 15:14:08 -0700
Subject: [PATCH 1/2] require `X-Frame-Options: SAMEORIGIN` for clickjack
 prevention

---
 config/initializers/11-rack-protection.rb | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 config/initializers/11-rack-protection.rb

diff --git a/config/initializers/11-rack-protection.rb b/config/initializers/11-rack-protection.rb
new file mode 100644
index 00000000000..68e3d710632
--- /dev/null
+++ b/config/initializers/11-rack-protection.rb
@@ -0,0 +1,3 @@
+require 'rack/protection'
+
+Rails.configuration.middleware.use Rack::Protection::FrameOptions
\ No newline at end of file

From 4f9aa6a92a66686744cea63845576159614e3f11 Mon Sep 17 00:00:00 2001
From: Raul Murciano <raul@murciano.net>
Date: Mon, 28 Oct 2013 17:00:31 -0700
Subject: [PATCH 2/2] Declare rack-protection dependency explicitely

---
 Gemfile      | 1 +
 Gemfile.lock | 1 +
 2 files changed, 2 insertions(+)

diff --git a/Gemfile b/Gemfile
index 4d13fd7ab42..fd2b2243020 100644
--- a/Gemfile
+++ b/Gemfile
@@ -116,6 +116,7 @@ gem 'therubyracer', require: 'v8'
 gem 'thin', require: false
 gem 'diffy', '>= 3.0', require: false
 gem 'highline', require: false
+gem 'rack-protection' # security
 
 # Gem that enables support for plugins. It is required.
 gem 'discourse_plugin', path: 'vendor/gems/discourse_plugin'
diff --git a/Gemfile.lock b/Gemfile.lock
index 704de69c964..abb543b815c 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -522,6 +522,7 @@ DEPENDENCIES
   qunit-rails
   rack-cors
   rack-mini-profiler!
+  rack-protection
   rails (= 3.2.12)
   rails_multisite!
   rake