Protect Ory Docs against Clickjacking Attacks

[tricky42]

To protect against Clickjacking Attacks, it is best practice to:

• Preventing the browser from loading the page in frame using the X-Frame-Options or Content Security Policy (frame-ancestors) HTTP headers.
• Preventing session cookies from being included when the page is loaded in a frame using the SameSite cookie attribute.

Full details can be found here: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html

Current Status

• CSP Headers: not set
• x-frame-options: not set

For the CSP headers, we need to define all aspects, not only frame-ancestors and have a report-only testing phase. @vinckr I don't think we are currently embedding the docs somewhere else via iframes, or?

[vinckr]

No, we aren't embedding the docs anywhere at the moment.