prevent clickjacking
This commit is contained in:
		
							parent
							
								
									36f054b84e
								
							
						
					
					
						commit
						c02f80d996
					
				|  | @ -38,6 +38,8 @@ include_once('account.inc'); | ||||||
| // check client IP address
 | // check client IP address
 | ||||||
| checkClientIP(); | checkClientIP(); | ||||||
| 
 | 
 | ||||||
|  | setLAMHeaders(); | ||||||
|  | 
 | ||||||
| /** | /** | ||||||
|  * Starts a session and checks the environment. |  * Starts a session and checks the environment. | ||||||
|  * The script is stopped if one of the checks fail (timeout redirection may be overriden). |  * The script is stopped if one of the checks fail (timeout redirection may be overriden). | ||||||
|  | @ -556,4 +558,14 @@ function getSecurityTokenValue() { | ||||||
| 	return $_SESSION[getSecurityTokenName()]; | 	return $_SESSION[getSecurityTokenName()]; | ||||||
| } | } | ||||||
| 
 | 
 | ||||||
|  | /** | ||||||
|  |  * Sets the X-Frame-Options and Content-Security-Policy header to prevent clickjacking. | ||||||
|  |  */ | ||||||
|  | function setLAMHeaders() { | ||||||
|  | 	if (!headers_sent()) { | ||||||
|  | 		header('X-Frame-Options: sameorigin'); | ||||||
|  | 		header('Content-Security-Policy: frame-ancestors \'self\''); | ||||||
|  | 	} | ||||||
|  | } | ||||||
|  | 
 | ||||||
| ?>
 | ?>
 | ||||||
		Loading…
	
		Reference in New Issue