Add HTTPSecurityHeaders.CustomFrameOptionsValue option.

Requested in https://github.com/navidrome/navidrome/issues/248#issuecomment-1783768985

conf/configuration.go

@@ -80,6 +80,7 @@ type configOptions struct {
 	PasswordEncryptionKey        string
 	ReverseProxyUserHeader       string
 	ReverseProxyWhitelist        string
+	HTTPSecurityHeaders          secureOptions
 	Prometheus                   prometheusOptions
 	Scanner                      scannerOptions
 	Jukebox                      jukeboxOptions
@@ -130,6 +131,10 @@ type listenBrainzOptions struct {
 	BaseURL string
 }
 
+type secureOptions struct {
+	CustomFrameOptionsValue string
+}
+
 type prometheusOptions struct {
 	Enabled     bool
 	MetricsPath string
@@ -350,6 +355,8 @@ func init() {
 	viper.SetDefault("listenbrainz.enabled", true)
 	viper.SetDefault("listenbrainz.baseurl", "https://api.listenbrainz.org/1/")
 
+	viper.SetDefault("httpsecurityheaders.customframeoptionsvalue", "DENY")
+
 	// DevFlags. These are used to enable/disable debugging and incomplete features
 	viper.SetDefault("devlogsourceline", false)
 	viper.SetDefault("devenableprofiler", false)

server/middlewares.go

@@ -102,6 +102,7 @@ func secureMiddleware() func(http.Handler) http.Handler {
 		FrameDeny:               true,
 		ReferrerPolicy:          "same-origin",
 		PermissionsPolicy:       "autoplay=(), camera=(), microphone=(), usb=()",
+		CustomFrameOptionsValue: conf.Server.HTTPSecurityHeaders.CustomFrameOptionsValue,
 		//ContentSecurityPolicy: "script-src 'self' 'unsafe-inline'",
 	})
 	return sec.Handler