From cc5cd166bebb01f231912e5c4c590b9f483cd159 Mon Sep 17 00:00:00 2001
From: Matt Pass <matt@mattpass.com>
Date: Fri, 26 Sep 2014 11:59:03 +0100
Subject: [PATCH] Only if no headers sent, set the 3 headers

---
 lib/headers.php | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/lib/headers.php b/lib/headers.php
index d368270..6536ab4 100644
--- a/lib/headers.php
+++ b/lib/headers.php
@@ -25,9 +25,11 @@ if (($_GET || $_POST) && (!isset($_REQUEST["csrf"]) || $_REQUEST["csrf"] !== $_S
 		POST: ".xssClean(var_export($_POST, true),"html"));
 }
 
-// Set our security related headers
-header("X-Frame-Options: SAMEORIGIN");					// Only frames of same origin
-header("X-XSS-Protection: 1; mode=block");				// Turn on IE8-9 XSS prevention tools
-// header("X-Content-Security-Policy: allow 'self'");			// Only allows JS on same domain & not inline to run
-header("X-Content-Type-Options: nosniff");				// Prevent MIME based attacks
+if (!headers_sent()) {
+	// Set our security related headers
+	header("X-Frame-Options: SAMEORIGIN");					// Only frames of same origin
+	header("X-XSS-Protection: 1; mode=block");				// Turn on IE8-9 XSS prevention tools
+	// header("X-Content-Security-Policy: allow 'self'");			// Only allows JS on same domain & not inline to run
+	header("X-Content-Type-Options: nosniff");				// Prevent MIME based attacks
+}
 ?>
\ No newline at end of file