diff --git a/includes/init.php b/includes/init.php
index e97ba0200..9a5d80cfc 100644
--- a/includes/init.php
+++ b/includes/init.php
@@ -134,18 +134,23 @@ function print_header( $includes = '', $HeadX = '', $BodyX = '',
//
// ';
+ // Prevent click-jacking by including a "frame-breaker" script in each page that should not be framed.
+ // Source: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
+ Header("Content-Security-Policy: frame-ancestors 'self'"); // TODO: customize this via admin.php
+ $ret .= "\n\n" .
+ "\n";
+
+
// TODO: allow option to host bootstrap & jquery locally
// TODO: move version info someplace else so we can update boostrap version by updating just one file.
$ret .= $JQUERY;
- $xret .=
- '' .
- '' .
- '' .
- '' .
- '' .
- '' .
- '' .
- '' . "\n";
if( ! $disableUTIL )
$js_ar[] = 'js/util.js';