Merge pull request #1493 from porter-dev/production-hotfixes

Production hotfixes

api/server/router/router.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"github.com/go-chi/chi"
+	chiMiddleware "github.com/go-chi/chi/middleware"
 	"github.com/porter-dev/porter/api/server/authn"
 	"github.com/porter-dev/porter/api/server/authz"
 	"github.com/porter-dev/porter/api/server/authz/policy"
@@ -50,6 +51,10 @@ func NewAPIRouter(config *config.Config) *chi.Mux {
 	userRegisterer := NewUserScopedRegisterer(projRegisterer)
 	panicMW := middleware.NewPanicMiddleware(config)
 
+	if config.ServerConf.PprofEnabled {
+		r.Mount("/debug", chiMiddleware.Profiler())
+	}
+
 	r.Route("/api", func(r chi.Router) {
 		// set panic middleware for all API endpoints to catch panics
 		r.Use(panicMW.Middleware)
@@ -103,6 +108,8 @@ func NewAPIRouter(config *config.Config) *chi.Mux {
 	fs := http.FileServer(http.Dir(staticFilePath))
 
 	r.Get("/*", func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("X-Frame-Options", "DENY")
+
 		if _, err := os.Stat(staticFilePath + r.RequestURI); os.IsNotExist(err) {
 			w.Header().Set("Cache-Control", "no-cache")
 

api/server/shared/config/env/envconfs.go

@@ -85,6 +85,9 @@ type ServerConf struct {
 
 	// Token for internal retool to authenticate to internal API endpoints
 	RetoolToken string `env:"RETOOL_TOKEN"`
+
+	// Enable pprof profiling endpoints
+	PprofEnabled bool `env:"PPROF_ENABLED,default=false"`
 }
 
 // DBConf is the database configuration: if generated from environment variables,