From 4d9854062c93610ec37d3dab77e63b90a791db36 Mon Sep 17 00:00:00 2001
From: Maurice <mauriceboe@icloud.com>
Date: Thu, 19 Mar 2026 14:44:35 +0100
Subject: [PATCH] Fix PDF export: allow same-origin iframes (X-Frame-Options)

---
 server/src/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/src/index.js b/server/src/index.js
index e6ef1b9..ba1cd38 100644
--- a/server/src/index.js
+++ b/server/src/index.js
@@ -47,7 +47,7 @@ app.use(express.json());
 // Security headers
 app.use((req, res, next) => {
   res.setHeader('X-Content-Type-Options', 'nosniff');
-  res.setHeader('X-Frame-Options', 'DENY');
+  res.setHeader('X-Frame-Options', 'SAMEORIGIN');
   res.setHeader('X-XSS-Protection', '1; mode=block');
   res.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
   next();