Make cookies https-only if LOCAL_HTTPS is true, set X-Frame-Options to DENY,

add permissive CORS to API controllers

config/application.rb

@@ -36,5 +36,9 @@ module Mastodon
     config.to_prepare do
       Doorkeeper::AuthorizationsController.layout 'auth'
     end
+
+    config.action_dispatch.default_headers = {
+      'X-Frame-Options' => 'DENY'
+    }
   end
 end

config/initializers/session_store.rb

@@ -1,3 +1,3 @@
 # Be sure to restart your server when you modify this file.
 
-Rails.application.config.session_store :cookie_store, key: '_mastodon_session'
+Rails.application.config.session_store :cookie_store, key: '_mastodon_session', secure: (ENV['LOCAL_HTTPS'] == 'true')