From 3cd065de34b9f75e2829f99c5dc2ff5392ede1db Mon Sep 17 00:00:00 2001
From: David Hicks <hickseydr@optusnet.com.au>
Date: Thu, 22 Apr 2010 18:02:20 +1000
Subject: [PATCH] Issue #11824: Implement X-Frame-Options clickjacking
 protection

The X-Frame-Options header can help prevent clickjacking attacks against
MantisBT installations by preventing MantisBT from being loaded inside
an iframe.

Currently the following browsers support X-Frame-Options:
* IE8+
* Opera 10.50+
* Safari 4+
* Chrome 4.1.249.1042+
* Firefox with NoScript
---
 core/http_api.php | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/core/http_api.php b/core/http_api.php
index 9731712c54..6ce456a748 100644
--- a/core/http_api.php
+++ b/core/http_api.php
@@ -117,6 +117,15 @@ function http_content_headers() {
 	}
 }
 
+/**
+ * Set security headers (frame busting, clickjacking/XSS/CSRF protection).
+ */
+function http_security_headers() {
+	if ( !headers_sent() ) {
+		header( 'X-Frame-Options: DENY' );
+	}
+}
+
 /**
  * Load and set any custom headers defined by the site configuration.
  */
@@ -138,6 +147,7 @@ function http_all_headers() {
 	if ( !$g_bypass_headers && !headers_sent() ) {
 		http_content_headers();
 		http_caching_headers();
+		http_security_headers();
 		http_custom_headers();
 	}
 }