Skip to content
Permalink
Browse files

Issue #11824: Implement X-Frame-Options clickjacking protection

The X-Frame-Options header can help prevent clickjacking attacks against
MantisBT installations by preventing MantisBT from being loaded inside
an iframe.

Currently the following browsers support X-Frame-Options:
* IE8+
* Opera 10.50+
* Safari 4+
* Chrome 4.1.249.1042+
* Firefox with NoScript
  • Loading branch information
davidhicks committed Apr 22, 2010
1 parent dfeddb5 commit 3cd065de34b9f75e2829f99c5dc2ff5392ede1db
Showing with 10 additions and 0 deletions.
  1. +10 −0 core/http_api.php
@@ -117,6 +117,15 @@ function http_content_headers() {
}
}

/**
* Set security headers (frame busting, clickjacking/XSS/CSRF protection).
*/
function http_security_headers() {
if ( !headers_sent() ) {
header( 'X-Frame-Options: DENY' );
}
}

/**
* Load and set any custom headers defined by the site configuration.
*/
@@ -138,6 +147,7 @@ function http_all_headers() {
if ( !$g_bypass_headers && !headers_sent() ) {
http_content_headers();
http_caching_headers();
http_security_headers();
http_custom_headers();
}
}

0 comments on commit 3cd065d

Please sign in to comment.
You can’t perform that action at this time.