fix: use image/avif as default avatar mime

fix: disable cross-origin iframes

crates/app/src/main.rs

@@ -11,12 +11,16 @@ use assets::{init_dirs, write_assets};
 use tetratto_core::model::{permissions::FinePermission, uploads::CustomEmoji};
 pub use tetratto_core::*;
 
-use axum::{Extension, Router};
+use axum::{
+    http::{HeaderName, HeaderValue},
+    Extension, Router,
+};
 use reqwest::Client;
 use tera::{Tera, Value};
 use tower_http::{
-    trace::{self, TraceLayer},
     catch_panic::CatchPanicLayer,
+    set_header::SetResponseHeaderLayer,
+    trace::{self, TraceLayer},
 };
 use tracing::{Level, info};
 
@@ -115,6 +119,10 @@ async fn main() {
                 .make_span_with(trace::DefaultMakeSpan::new().level(Level::INFO))
                 .on_response(trace::DefaultOnResponse::new().level(Level::INFO)),
         )
+        .layer(SetResponseHeaderLayer::if_not_present(
+            HeaderName::from_static("X-Frame-Options"),
+            HeaderValue::from_static("SAMEORIGIN"),
+        ))
         .layer(CatchPanicLayer::new());
 
     let listener = tokio::net::TcpListener::bind(format!("0.0.0.0:{}", config.port))