From c859e371b0b94bb7ac2db7f7dfaf742a4a1fc6d9 Mon Sep 17 00:00:00 2001
From: Lukas Fleischer <lfleischer@archlinux.org>
Date: Sun, 5 Nov 2017 08:36:23 +0100
Subject: Set X-Frame-Options to DENY for all pages

Do not allow to render aurweb pages in a frame to protect against
clickjacking.

Fixes FS#56168.

Signed-off-by: Lukas Fleischer <lfleischer@archlinux.org>
---
 web/lib/aur.inc.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/web/lib/aur.inc.php b/web/lib/aur.inc.php
index ce569ea7..6cd04515 100644
--- a/web/lib/aur.inc.php
+++ b/web/lib/aur.inc.php
@@ -4,6 +4,7 @@ header('Content-Type: text/html; charset=utf-8');
 header('Cache-Control: no-cache, must-revalidate');
 header('Expires: Tue, 11 Oct 1988 22:00:00 GMT'); // quite a special day
 header('Pragma: no-cache');
+header('X-Frame-Options: DENY');
 
 date_default_timezone_set('UTC');
 
-- 
cgit v1.2.3-24-g4f1b