From 0e89251bacd634a712397b0de508a97b95fe15ab Mon Sep 17 00:00:00 2001
From: jramos <jramos@apophisnetworking.net>
Date: Fri, 13 Feb 2026 10:50:37 -0700
Subject: [PATCH] Fix: Change X-Frame-Options to SAMEORIGIN to allow PDF iframe
 embedding

---
 backend/server.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/server.js b/backend/server.js
index bd459bf..b2a23d5 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -96,7 +96,7 @@ app.use((req, res, next) => {
 // Security headers
 app.use((req, res, next) => {
     res.setHeader('X-Content-Type-Options', 'nosniff');
-    res.setHeader('X-Frame-Options', 'DENY');
+    res.setHeader('X-Frame-Options', 'SAMEORIGIN');  // Allow iframes from same origin
     res.setHeader('X-XSS-Protection', '1; mode=block');
     res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
     res.setHeader('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');