Fix Click-Jacking attack on account deletion page

This attack has been mitigated by adding a HTTP header of X-Frame-Options to every page in Mahara. Bug #1057240 CVE-2012-2246 Change-Id: Ia15bb43c83054ffa5540d71fcc932266b92d288f Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>

Fix Click-Jacking attack on account deletion page
This attack has been mitigated by adding a HTTP header of X-Frame-Options to every page in Mahara. Bug #1057240 CVE-2012-2246 Change-Id: Ia15bb43c83054ffa5540d71fcc932266b92d288f Signed-off-by: Hugh Davenport <hugh@catalyst.net.nz>
b480b81a · Hugh Davenport · f964a327 · b480b81a
Commit b480b81a authored Sep 27, 2012 by Hugh Davenport
--- a/htdocs/init.php
+++ b/htdocs/init.php
@@ -46,6 +46,9 @@ header('Cache-Control: private, must-revalidate, pre-check=0, post-check=0, max-
 header('Expires: '. gmdate('D, d M Y H:i:s', 507686400) .' GMT');
 header('Pragma: no-cache');

+// Prevent clickjacking through iframe tags
+header('X-Frame-Options: SAMEORIGIN');
+
 // Set up error handling
 require('errors.php');