diff --git a/src/actix/mod.rs b/src/actix/mod.rs index 46c5c1ca807..e859f62dc7a 100644 --- a/src/actix/mod.rs +++ b/src/actix/mod.rs @@ -14,7 +14,8 @@ use ::api::grpc::models::{ApiResponse, ApiStatus, VersionInfo}; use actix_cors::Cors; use actix_multipart::form::tempfile::TempFileConfig; use actix_multipart::form::MultipartFormConfig; -use actix_web::middleware::{Compress, Condition, Logger}; +use actix_web::http::header::HeaderValue; +use actix_web::middleware::{Compress, Condition, DefaultHeaders, Logger}; use actix_web::{error, get, web, App, HttpRequest, HttpResponse, HttpServer, Responder}; use actix_web_extras::middleware::Condition as ConditionEx; use collection::operations::validation; @@ -183,7 +184,15 @@ pub fn init( if web_ui_available { app = app.service( - actix_files::Files::new(WEB_UI_PATH, &static_folder).index_file("index.html"), + actix_web::web::scope(WEB_UI_PATH) + // For security reasons, deny embedding the web UI in an iframe + .wrap( + DefaultHeaders::new() + .add(("X-Frame-Options", HeaderValue::from_static("DENY"))), + ) + .service( + actix_files::Files::new("/", &static_folder).index_file("index.html"), + ), ) } app diff --git a/tools/sync-web-ui.sh b/tools/sync-web-ui.sh index bb88330a1b4..8e23c4ca9a2 100755 --- a/tools/sync-web-ui.sh +++ b/tools/sync-web-ui.sh @@ -10,7 +10,12 @@ OPENAPI_FILE=${OPENAPI_DIR:-"./docs/redoc/master/openapi.json"} # Get latest dist.zip, assume jq is installed DOWNLOAD_LINK=$(curl --silent "https://api.github.com/repos/qdrant/qdrant-web-ui/releases/latest" | jq -r '.assets[] | select(.name=="dist-qdrant.zip") | .browser_download_url') -wget -O dist-qdrant.zip $DOWNLOAD_LINK +if command -v wget &> /dev/null +then + wget -O dist-qdrant.zip $DOWNLOAD_LINK +else + curl -L -o dist-qdrant.zip $DOWNLOAD_LINK +fi rm -rf "${STATIC_DIR}/"* unzip -o dist-qdrant.zip -d "${STATIC_DIR}"