closes #3899

src/middleware/index.js

@@ -71,18 +71,7 @@ module.exports = function(app) {
 		saveUninitialized: true
 	}));
 
-	app.use(function (req, res, next) {
+	app.use(middleware.addHeaders);
-		res.setHeader('X-Powered-By', 'NodeBB');
-
-		if (meta.config['allow-from-uri']) {
-			res.setHeader('X-Frame-Options', 'ALLOW-FROM ' + meta.config['allow-from-uri']);
-		} else {
-			res.setHeader('X-Frame-Options', 'SAMEORIGIN');
-		}
-
-		next();
-	});
-
 	app.use(middleware.processRender);
 	auth.initialize(app, middleware);
 

src/middleware/middleware.js

@@ -7,6 +7,7 @@ var app,
 	async = require('async'),
 	path = require('path'),
 	csrf = require('csurf'),
+	_ = require('underscore'),
 
 	validator = require('validator'),
 	nconf = require('nconf'),
@@ -64,6 +65,30 @@ middleware.pageView = function(req, res, next) {
 	}
 };
 
+middleware.addHeaders = function (req, res, next) {
+	var defaults = {
+		'X-Powered-By': 'NodeBB',
+		'X-Frame-Options': 'SAMEORIGIN',
+		'Access-Control-Allow-Origin': 'null'	// yes, string null.
+	};
+	var headers = {
+		'X-Powered-By': meta.config['powered-by'],
+		'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + meta.config['allow-from-uri'] : undefined,
+		'Access-Control-Allow-Origin': meta.config['access-control-allow-origin'],
+		'Access-Control-Allow-Methods': meta.config['access-control-allow-methods'],
+		'Access-Control-Allow-Headers': meta.config['access-control-allow-headers']
+	};
+
+	_.defaults(headers, defaults);
+	headers = _.pick(headers, Boolean);		// Remove falsy headers
+
+	for(var key in headers) {
+		res.setHeader(key, headers[key]);
+	}
+
+	next();
+};
+
 middleware.pluginHooks = function(req, res, next) {
 	async.each(plugins.loadedHooks['filter:router.page'] || [], function(hookObj, next) {
 		hookObj.method(req, res, next);

src/views/admin/settings/advanced.tpl

@@ -23,13 +23,40 @@
 </div>
 
 <div class="row">
-	<div class="col-sm-2 col-xs-12 settings-header">Domain Settings</div>
+	<div class="col-sm-2 col-xs-12 settings-header">Headers</div>
 	<div class="col-sm-10 col-xs-12">
 		<form>
 			<div class="form-group">
-				<label for="allow-from-uri">Set ALLOW-FROM to Place NodeBB in an iFrame:</label>
+				<label for="allow-from-uri">Set ALLOW-FROM to Place NodeBB in an iFrame</label>
 				<input class="form-control" id="allow-from-uri" type="text" placeholder="external-domain.com" data-field="allow-from-uri" /><br />
 			</div>
+			<div class="form-group">
+				<label for="powered-by">Customise the "Powered By" header sent by NodeBB</label>
+				<input class="form-control" id="powered-by" type="text" placeholder="NodeBB" data-field="powered-by" /><br />
+			</div>
+			<div class="form-group">
+				<label for="access-control-allow-origin">Access-Control-Allow-Origin</label>
+				<input class="form-control" id="access-control-allow-origin" type="text" placeholder="null" value="null" data-field="access-control-allow-origin" /><br />
+				<p class="help-block">
+					To deny access to all sites, leave empty or set to <code>null</code>
+				</p>
+			</div>
+			<div class="form-group">
+				<label for="access-control-allow-methods">Access-Control-Allow-Methods</label>
+				<input class="form-control" id="access-control-allow-methods" type="text" placeholder="" data-field="access-control-allow-methods" /><br />
+			</div>
+			<div class="form-group">
+				<label for="access-control-allow-headers">Access-Control-Allow-Headers</label>
+				<input class="form-control" id="access-control-allow-headers" type="text" placeholder="" data-field="access-control-allow-headers" /><br />
+			</div>
+		</form>
+	</div>
+</div>
+
+<div class="row">
+	<div class="col-sm-2 col-xs-12 settings-header">Cookies</div>
+	<div class="col-sm-10 col-xs-12">
+		<form>
 			<div class="form-group">
 				<label for="cookieDomain">Set domain for session cookie</label>
 				<input class="form-control" id="cookieDomain" type="text" placeholder=".domain.tld" data-field="cookieDomain" /><br />