To guard against UI-Redressing, Click Jacking or xss you can use the CSP http header which is compatible with newer browsers.  To block iframing of your site in most browsers you can use x-frame-options.  Below is a PHP script to white list the various content that could be used in an attack.  This stops

To apply this in PHP you would just add cspheader.php to the beginning of any script.  Alternatively you could modify your apache config (httpd.conf) restart the server and all pages served up would have this header.  Thirdly you could use a .htaccess file in the root directory of your website and all files and files under child directories would use it.  All depends on how much access you have to your server and site.

//CSP only works in modern browsers Chrome 25+, Firefox 23+, Safari 7+
$headerCSP = "Content-Security-Policy:".
"connect-src 'self' ;". // XMLHttpRequest (AJAX request), WebSocket or EventSource.
"default-src 'self';". // Default policy for loading html elements
"frame-ancestors 'self' ;". //allow parent framing – this one blocks click jacking and ui redress
"frame-src 'none';". // vaid sources for frames
"media-src 'self' *;". // vaid sources for media (audio and video html tags src)
"object-src 'none'; ". // valid object embed and applet tags src
"report-uri;&quot;. //A URL that will get raw json data in post that lets you know what was violated and blocked
"script-src 'self' 'unsafe-inline' ;". // allows js from self, jquery and google analytics. Inline allows inline js
"style-src 'self' 'unsafe-inline';";// allows css from self and inline allows inline css
//Sends the Header in the HTTP response to instruct the Browser how it should handle content and what is whitelisted
//Its up to the browser to follow the policy which each browser has varying support
//X-Frame-Options is not a standard (note the X- which stands for extension not a standard)
//This was never officially created but is supported by a lot of the current browsers in use in 2015 and will block iframing of your website
header('X-Frame-Options: SAMEORIGIN');

view raw
hosted with ❤ by GitHub

#this can also be done in a .htaccess file depending on your server set determines where you decide to set it
Header unset Content-Security-Policy
#Add the entire CSP key value pairs that you want below is just default-src
Header add Content-Security-Policy "default-src 'self'"
#This opens support to older browsers that support X-Content-Security-Policy but not Content-Security-Policy
Header unset X-Content-Security-Policy
Header add X-Content-Security-Policy "default-src 'self'"
#This opens support to older browsers that support X-WebKit-CSP but not Content-Security-Policy
Header unset X-WebKit-CSP
Header add X-WebKit-CSP "default-src 'self'"
#These headers are also helpful in increasing security
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "DENY"
Header set Strict-Transport-Security "max-age=631138519; includeSubDomains"

view raw
hosted with ❤ by GitHub

$data = json_decode($HTTP_RAW_POST_DATA,true);
$to = '';
$subject = 'CSP Violations';
$message="Following violations occured:<br/><br/>";
$message.="<b>Document URI:</b> ".$data['csp-report']['document-uri']."<br/><br/>";
$message.="<b>Referrer:</b> ".$data['csp-report']['referrer']."<br/><br/>";
$message.="<b>Blocked URI:</b> ".$data['csp-report']['blocked_uri']."<br/><br/>";
$message.="<b>Violated Directive:</b> ".$data['csp-report']['violated_directive']."<br/><br/>";
$message.="<b>Original Policy:</b> ".$data['csp-report']['original_policy']."<br/><br/>";
// To send HTML mail, the Content-type header must be set
$headers = 'MIME-Version: 1.0' . "\r\n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";
$headers .= 'From: Example Website <>' . "\r\n";
// Mail it
mail($to, $subject, $message, $headers);

More Details/References on CSP