Fix clickjacking attack vulnerability in nginx

For Fuel web interface and other sites served by nginx on fuel master
we should use X-Frame-Options SAMEORIGIN to prevent from clickjacking,
e.g. the page can only be displayed in a frame on the same
origin as the page itself.

Change-Id: Ie8d6e4e92222ac9bb7c489dd0a5aff833fabe873
Closes-Bug: #1497194

deployment/puppet/nailgun/spec/classes/nginx_service_spec.rb

@@ -0,0 +1,7 @@
+require 'spec_helper'
+
+describe 'nailgun::nginx-service' do
+  it 'should contain X-Frame-Options SAMEORIGIN header' do
+    should contain_file('/etc/nginx/nginx.conf').with_content(/^\s*add_header X-Frame-Options SAMEORIGIN;$/)
+  end
+end

deployment/puppet/nailgun/templates/nginx.conf.erb

@@ -35,6 +35,9 @@ http {
     #prefer server ciphers over client ones
     ssl_prefer_server_ciphers on;
 
+    #prevent from clickjacking attacks
+    add_header X-Frame-Options SAMEORIGIN;
+
     # Load config files from the /etc/nginx/conf.d directory
     # The default server is in conf.d/default.conf
     include /etc/nginx/conf.d/*.conf;