forked from icecoder/ICEcoder
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathheaders.php
More file actions
35 lines (31 loc) · 1.35 KB
/
headers.php
File metadata and controls
35 lines (31 loc) · 1.35 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
<?php
// Stop if we're running an old version in the tmp dir
if(strpos(str_replace("\\","/",dirname(__FILE__)),"tmp/oldVersion") !== false) {
die("This is an old version of ICEcoder. Won't run from tmp/oldVersion/ dir.");
}
// Load common functions
include_once(dirname(__FILE__)."/settings-common.php");
$text = $_SESSION['text'];
$t = $text['headers'];
// CSRF synchronizer token pattern, 32 chars
if (!isset($_SESSION["csrf"])) {
$_SESSION["csrf"] = md5(uniqid(mt_rand(), true));
}
if (($_GET || $_POST) && (!isset($_REQUEST["csrf"]) || $_REQUEST["csrf"] !== $_SESSION["csrf"])) {
$req = isset($_REQUEST["csrf"]) ? xssClean($_REQUEST["csrf"],"html") : "";
die($t['Bad CSRF token...']."<br><br>
CSRF issue:<br>
REQUEST: ".$req."<br>
SESSION: ".xssClean($_SESSION["csrf"],"html")."<br>
FILE: ".xssClean($_SERVER["SCRIPT_NAME"],"html")."<br>
GET: ".xssClean(var_export($_GET, true),"html")."<br>
POST: ".xssClean(var_export($_POST, true),"html"));
}
if (!headers_sent()) {
// Set our security related headers
header("X-Frame-Options: SAMEORIGIN"); // Only frames of same origin
header("X-XSS-Protection: 1; mode=block"); // Turn on IE8-9 XSS prevention tools
// header("X-Content-Security-Policy: allow 'self'"); // Only allows JS on same domain & not inline to run
header("X-Content-Type-Options: nosniff"); // Prevent MIME based attacks
}
?>