Commit c8a0c7c9 authored by webchick's avatar webchick

Issue #2514136 by pwolanin, Fabianx: Add default clickjacking defense to core

parent 2710ccd0
......@@ -113,6 +113,7 @@ public function onRespond(FilterResponseEvent $event) {
// XSS and other vulnerabilities.
// https://www.owasp.org/index.php/List_of_useful_HTTP_headers
$response->headers->set('X-Content-Type-Options', 'nosniff', FALSE);
$response->headers->set('X-Frame-Options', 'SAMEORIGIN', FALSE);
// Expose the cache contexts and cache tags associated with this page in a
// X-Drupal-Cache-Contexts and X-Drupal-Cache-Tags header respectively.
......
......@@ -40,7 +40,7 @@ public function testFinishResponseSubscriber() {
$this->assertEqual($headers['x-ua-compatible'], 'IE=edge');
$this->assertEqual($headers['content-language'], 'en');
$this->assertEqual($headers['x-content-type-options'], 'nosniff');
$this->assertEqual($headers['x-frame-options'], 'SAMEORIGIN');
$this->drupalGet('router_test/test2');
$this->assertRaw('test2', 'The correct string was returned because the route was successful.');
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment