From e0ae04463ab0f4b5b5fae6df0bdc6eb6bba28887 Mon Sep 17 00:00:00 2001
From: Remigijus Kiminas <remdex@gmail.com>
Date: Tue, 24 Aug 2021 00:16:03 -0400
Subject: [PATCH] Send X-Frame-Options: DENY if url is private or it's an admin
 one

---
 lhc_web/lib/core/lhcore/lhmodule.php | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/lhc_web/lib/core/lhcore/lhmodule.php b/lhc_web/lib/core/lhcore/lhmodule.php
index b4e2dedd41..6b5c3616ac 100644
--- a/lhc_web/lib/core/lhcore/lhmodule.php
+++ b/lhc_web/lib/core/lhcore/lhmodule.php
@@ -83,7 +83,13 @@ static function runModule()
             }
           
             try {
-            	
+
+                // Send X-Frame-Options if URL is private
+                // Or it's site_admin based one
+                if (isset($currentUser) || erLhcoreClassSystem::instance()->SiteAccess == 'site_admin') {
+                    header('X-Frame-Options: DENY');
+                }
+
             	if (isset($currentUser) && $currentUser->isLogged() && ($timeZone = $currentUser->getUserTimeZone()) != '') {    
             		self::$defaultTimeZone = $timeZone;
             		date_default_timezone_set(self::$defaultTimeZone);