From c02f80d996f811d2753afae5b99fd01cae3f0c38 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Sat, 19 Dec 2015 09:31:21 +0000
Subject: [PATCH] prevent clickjacking

---
 lam/lib/security.inc | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/lam/lib/security.inc b/lam/lib/security.inc
index c5638052..19e7232a 100644
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@@ -38,6 +38,8 @@ include_once('account.inc');
 // check client IP address
 checkClientIP();
 
+setLAMHeaders();
+
 /**
  * Starts a session and checks the environment.
  * The script is stopped if one of the checks fail (timeout redirection may be overriden).
@@ -556,4 +558,14 @@ function getSecurityTokenValue() {
 	return $_SESSION[getSecurityTokenName()];
 }
 
+/**
+ * Sets the X-Frame-Options and Content-Security-Policy header to prevent clickjacking.
+ */
+function setLAMHeaders() {
+	if (!headers_sent()) {
+		header('X-Frame-Options: sameorigin');
+		header('Content-Security-Policy: frame-ancestors \'self\'');
+	}
+}
+
 ?>
\ No newline at end of file