From 853abfbbd3c14a0a601c941dcfaa3858b6283b69 Mon Sep 17 00:00:00 2001
From: Matias Griese <matias@trilbymedia.com>
Date: Wed, 1 Sep 2021 13:17:21 +0300
Subject: [PATCH] Fixed `X-Frame-Options` to be `DENY` in all admin pages to
 prevent a clickjacking attack

---
 CHANGELOG.md              | 1 +
 classes/plugin/Router.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f9559e5f1..f7eca9c3e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,7 @@
 
 3. [](#bugfix)
     * Fixed regression `Argument 4 passed to Grav\Plugin\Form\TwigExtension::prepareFormField() must be of the type array` [#2177](https://github.com/getgrav/grav-plugin-admin/issues/2177)
+    * Fixed `X-Frame-Options` to be `DENY` in all admin pages to prevent a clickjacking attack
 
 # v1.10.19
 ## 08/31/2021
diff --git a/classes/plugin/Router.php b/classes/plugin/Router.php
index 2c866616b..c9e32177f 100644
--- a/classes/plugin/Router.php
+++ b/classes/plugin/Router.php
@@ -67,6 +67,6 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
         $this->stopTimer();
 
         // Never allow admin pages to be rendered in <frame>, <iframe>, <embed> or <object> for improved security.
-        return $response->withHeader('X-Frame-Options', 'NONE');
+        return $response->withHeader('X-Frame-Options', 'DENY');
     }
 }