[aur-dev] [PATCH 1/2] Set X-Frame-Options to DENY for all pages
Lukas Fleischer
lfleischer at archlinux.org
Sun Nov 5 07:57:05 UTC 2017
Do not allow to render aurweb pages in a frame to protect against
clickjacking.
Fixes FS#56168.
Signed-off-by: Lukas Fleischer <lfleischer at archlinux.org>
---
web/lib/aur.inc.php | 1 +
1 file changed, 1 insertion(+)
diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index ce569ea..6cd0451 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -4,6 +4,7 @@ header('Content-Type: text/html; charset=utf-8');
header('Cache-Control: no-cache, must-revalidate');
header('Expires: Tue, 11 Oct 1988 22:00:00 GMT'); // quite a special day
header('Pragma: no-cache');
+header('X-Frame-Options: DENY');
date_default_timezone_set('UTC');
--
2.15.0
More information about the aur-dev
mailing list