docs(security): document clickjacking protection

[samgutentag]

Summary

• Adds a bullet point to the Infrastructure Security section documenting that all Trunk app pages now set Content-Security-Policy: frame-ancestors 'self' and X-Frame-Options: SAMEORIGIN to prevent clickjacking

Context

This documents trunk2 PR #3775 (shipped in v164), which addressed a customer clickjacking report by adding anti-framing headers to all frontend routes.

Test plan

• Review the security.md update for accuracy
• Verify the headers description matches what's actually deployed

Co-Authored-By: Claude Opus 4.6 noreply@anthropic.com

https://claude.ai/code/session_014qULqFuLwEDqNLt4pr2iNu

---

Generated by Claude Code

[trunk-staging-io]

Merging to main in this repository is managed by Trunk.

• To merge this pull request, check the box to the left or comment /trunk merge below.

After your PR is submitted to the merge queue, this comment will be automatically updated with its status. If the PR fails, failure details will also be posted here

[claude]

Claude finished @samgutentag's task in 1m 4s —— View job

---

PR Review Complete

• Read CLAUDE.md for repo-specific instructions
• Read the changed file (setup-and-administration/security.md)
• Review for typos, grammar, formatting, and documentation best practices
• Post inline comments for specific issues
• Finalize review

---

Review Summary

The change adds one bullet point to the Infrastructure Security section documenting clickjacking protection via anti-framing headers. Overall this is accurate, well-formatted, and consistent with the existing style in the section.

Positives:

• Formatting matches the established * **Label**: Description pattern
• Technically accurate — Content-Security-Policy: frame-ancestors 'self' and X-Frame-Options: SAMEORIGIN are the correct headers for clickjacking protection
• The description is clear and appropriately concise for a high-level security overview

Minor suggestion (non-blocking):

• Left one inline comment suggesting a small wording tweak: "embedded in external iframes" → "framed by external sites" to avoid slight redundancy. See the inline comment for the suggestion block.

No blocking issues found. ✓

[claude]

Minor nit (non-blocking): "embedded in external iframes" is slightly redundant since iframes are inherently an embedding mechanism. Consider tightening to "framed by external sites" for clarity.

Suggested change

	* **Clickjacking protection**: All Trunk app pages set `Content-Security-Policy: frame-ancestors 'self'` and `X-Frame-Options: SAMEORIGIN`, preventing Trunk pages from being embedded in external iframes
	* **Clickjacking protection**: All Trunk app pages set `Content-Security-Policy: frame-ancestors 'self'` and `X-Frame-Options: SAMEORIGIN`, preventing Trunk pages from being framed by external sites

[github-actions]

Auto-approved: Claude code review passed.