You are here

Home » API reference » Security Kit 7 » seckit.module

function seckit_boot in Security Kit 7

Implements hook_boot().

When multiple 'ALLOW-FROM' values are configured for X-Frame-Options, we dynamically set the header so that it is correct even when pages are served from the page cache.

In other circumstances, Drupal does not see this implementation.

See also

seckit_module_implements_alter().

File

./seckit.module, line 146
Allows administrators to improve security of the website.

Code

function seckit_boot() {
  $options = _seckit_get_options();
  if ($options['seckit_clickjacking']['x_frame'] != SECKIT_X_FRAME_ALLOW_FROM) {
    return;
  }

  // If this request's Origin is allowed, we specify that value.
  // If the origin is not allowed, we can use any other value to prevent
  // the client from framing the page.
  $allowed = $options['seckit_clickjacking']['x_frame_allow_from'];
  $origin = !empty($_SERVER['HTTP_ORIGIN']) ? $_SERVER['HTTP_ORIGIN'] : '';
  if (!in_array($origin, $allowed, TRUE)) {
    $origin = array_pop($allowed);
  }
  drupal_add_http_header('X-Frame-Options', "ALLOW-FROM {$origin}");
}