[1/2] Set X-Frame-Options to DENY for all pages

Message ID 20171105075706.11615-1-lfleischer@archlinux.org
State Accepted, archived
Headers show
Series
  • [1/2] Set X-Frame-Options to DENY for all pages
Related show

Commit Message

Lukas Fleischer Nov. 5, 2017, 7:57 a.m. UTC
Do not allow to render aurweb pages in a frame to protect against
clickjacking.

Fixes FS#56168.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
 web/lib/aur.inc.php | 1 +
 1 file changed, 1 insertion(+)

Patch

diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index ce569ea..6cd0451 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -4,6 +4,7 @@  header('Content-Type: text/html; charset=utf-8');
 header('Cache-Control: no-cache, must-revalidate');
 header('Expires: Tue, 11 Oct 1988 22:00:00 GMT'); // quite a special day
 header('Pragma: no-cache');
+header('X-Frame-Options: DENY');
 
 date_default_timezone_set('UTC');