From 1d5c74e424440cd6c8341fcec8568474a2cbfd1c Mon Sep 17 00:00:00 2001
From: Matt Pass <matt@mattpass.com>
Date: Fri, 18 Apr 2014 18:21:17 +0100
Subject: [PATCH] Add CSRF and clickjacking protection

This header file included in all PHP files as first item.
CSRF checks happen on GET or POST instances
Security related headers also added to prevent clickjacking
---
 lib/headers.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 lib/headers.php

diff --git a/lib/headers.php b/lib/headers.php
new file mode 100644
index 0000000..c1d2970
--- /dev/null
+++ b/lib/headers.php
@@ -0,0 +1,18 @@
+<?php
+// Start a session if we haven't already
+if(!isset($_SESSION)) {@session_start();}
+
+// CSRF synchronizer token pattern, 32 chars
+if (!isset($_SESSION["csrf"])) {
+	$_SESSION["csrf"] = md5(uniqid(mt_rand(), true));	
+}
+if ($_REQUEST && $_REQUEST["csrf"] !== $_SESSION["csrf"]) {
+	echo '<script>alert("Bad CSRF token. Please press F12, view the console and report the error, including file & line number, so it can be fixed. Many thanks!");</script>';
+	echo '<script>console.log("CSRF issue: REQUEST: "+$_REQUEST["csrf"]+", SESSION: "+$_SESSION["csrf"]);</script>';
+	die('Bad CSRF token');
+}
+
+// Set our security related headers, prevents clickjacking
+header("frame-options: SAMEORIGIN");
+header("XSS-Protection: 1; mode=block");
+?>
\ No newline at end of file