Fixed X-Frame-Options to be DENY in all admin pages to prevent a …

…clickjacking attack
getgrav · Sep 1, 2021 · 853abfb · 853abfb
1 parent 2f9b0a1
commit 853abfb
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 
 3. [](#bugfix)
     * Fixed regression `Argument 4 passed to Grav\Plugin\Form\TwigExtension::prepareFormField() must be of the type array` [#2177](https://github.com/getgrav/grav-plugin-admin/issues/2177)
+    * Fixed `X-Frame-Options` to be `DENY` in all admin pages to prevent a clickjacking attack
 
 # v1.10.19
 ## 08/31/2021

diff --git a/classes/plugin/Router.php b/classes/plugin/Router.php
@@ -67,6 +67,6 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
         $this->stopTimer();
 
         // Never allow admin pages to be rendered in <frame>, <iframe>, <embed> or <object> for improved security.
-        return $response->withHeader('X-Frame-Options', 'NONE');
+        return $response->withHeader('X-Frame-Options', 'DENY');
     }
 }