Merge pull request #163 from Extendy/mohd

bug: fix Clickjacking bug #160

Author: mshannaq

app/Config/Filters.php

@@ -28,6 +28,7 @@ class Filters extends BaseConfig
         'afterlangchange' => \App\Filters\LangFilter::class,  // it is just a test just to show how filter works , mshannaq not real filter
         'webratelimit'    => \App\Filters\Webratelimit::class,
         'smartyglobal'    => \App\Filters\SmartyglobalFilter::class,
+        'clickjacking' => \App\Filters\ClickjackingFilter::class,
 
         // if you want to define alias for multiple filter see https://forum.codeigniter.com/thread-76946.html
 
@@ -66,11 +67,13 @@ class Filters extends BaseConfig
             // 'session' => ['except' => ['/', 'go/*', 'tests*', 'lang*', 'account/login*', 'account/register', 'account/auth/a/*']],
             // 'invalidchars',
             'smartyglobal', // global filter for SmartyUrl
+
         ],
         'after' => [
             'toolbar',
             // 'honeypot',
             // 'secureheaders',
+            'clickjacking', // check security headers to mitigate clickjacking
         ],
     ];
 

app/Filters/ClickjackingFilter.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace App\Filters;
+
+use CodeIgniter\HTTP\RequestInterface;
+use CodeIgniter\HTTP\ResponseInterface;
+use CodeIgniter\Filters\FilterInterface;
+
+class ClickjackingFilter implements FilterInterface
+{
+    public function before(RequestInterface $request, $arguments = null)
+    {
+        // Nothing to do before controller runs
+    }
+
+    public function after(RequestInterface $request, ResponseInterface $response, $arguments = null)
+    {
+        // Add security headers to mitigate clickjacking
+        // Block all framing from anywhere
+        $response->setHeader('X-Frame-Options', 'DENY');
+        $response->setHeader('Content-Security-Policy', "frame-ancestors 'none';");
+        return $response;
+    }
+}