// Output anti-framing headers to prevent clickjacking (respected by newer
// browsers).
if (common_config('javascript', 'bustframes')) {
- header('X-XSS-Protection 1; mode=block'); // detect XSS Reflection attacks
+ header('X-XSS-Protection: 1; mode=block'); // detect XSS Reflection attacks
header('X-Frame-Options: SAMEORIGIN'); // no rendering if origin mismatch
}