Issue #11824: Implement X-Frame-Options clickjacking protection

The X-Frame-Options header can help prevent clickjacking attacks against MantisBT installations by preventing MantisBT from being loaded inside an iframe. Currently the following browsers support X-Frame-Options: * IE8+ * Opera 10.50+ * Safari 4+ * Chrome 4.1.249.1042+ * Firefox with NoScript
mantisbt · Apr 22, 2010 · 3cd065d · 3cd065d
1 parent dfeddb5
commit 3cd065d
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/core/http_api.php b/core/http_api.php
@@ -117,6 +117,15 @@ function http_content_headers() {
 	}
 }
 
+/**
+ * Set security headers (frame busting, clickjacking/XSS/CSRF protection).
+ */
+function http_security_headers() {
+	if ( !headers_sent() ) {
+		header( 'X-Frame-Options: DENY' );
+	}
+}
+
 /**
  * Load and set any custom headers defined by the site configuration.
  */
@@ -138,6 +147,7 @@ function http_all_headers() {
 	if ( !$g_bypass_headers && !headers_sent() ) {
 		http_content_headers();
 		http_caching_headers();
+		http_security_headers();
 		http_custom_headers();
 	}
 }