Mirrors/ICEcoder
2
0
Fork 0
mirror of https://github.com/icecoder/ICEcoder.git synced 2026-03-03 07:13:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add CSRF and clickjacking protection

Browse Source 
This header file included in all PHP files as first item.
CSRF checks happen on GET or POST instances
Security related headers also added to prevent clickjacking
This commit is contained in:
Matt Pass
2014-04-18 18:21:17 +01:00
parent c6bb782118
commit 1d5c74e424
1 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
lib/headers.php Normal file
View File

@@ -0,0 +1,18 @@
<?php
// Start a session if we haven't already
if(!isset($_SESSION)) {@session_start();}
// CSRF synchronizer token pattern, 32 chars
if (!isset($_SESSION["csrf"])) {
$_SESSION["csrf"] = md5(uniqid(mt_rand(), true));
}
if ($_REQUEST && $_REQUEST["csrf"] !== $_SESSION["csrf"]) {
echo '<script>alert("Bad CSRF token. Please press F12, view the console and report the error, including file & line number, so it can be fixed. Many thanks!");</script>';
echo '<script>console.log("CSRF issue: REQUEST: "+$_REQUEST["csrf"]+", SESSION: "+$_SESSION["csrf"]);</script>';
die('Bad CSRF token');
}
// Set our security related headers, prevents clickjacking
header("frame-options: SAMEORIGIN");
header("XSS-Protection: 1; mode=block");
?>