From 54b75026fce057829f65eb194fb1ff231b2fbf78 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <mrpetovan@gmail.com>
Date: Wed, 11 Apr 2018 23:28:51 -0400
Subject: [PATCH] Add header support for security token check

---
 include/security.php | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/include/security.php b/include/security.php
index af424df26c..b13a507cf4 100644
--- a/include/security.php
+++ b/include/security.php
@@ -405,12 +405,21 @@ function get_form_security_token($typename = '')
 
 function check_form_security_token($typename = '', $formname = 'form_security_token')
 {
-	if (!x($_REQUEST, $formname)) {
-		return false;
+	$hash = null;
+
+	if (!empty($_REQUEST[$formname])) {
+		/// @TODO Careful, not secured!
+		$hash = $_REQUEST[$formname];
 	}
 
-	/// @TODO Careful, not secured!
-	$hash = $_REQUEST[$formname];
+	if (!empty($_SERVER['HTTP_X_CSRF_TOKEN'])) {
+		/// @TODO Careful, not secured!
+		$hash = $_SERVER['HTTP_X_CSRF_TOKEN'];
+	}
+
+	if (empty($hash)) {
+		return false;
+	}
 
 	$max_livetime = 10800; // 3 hours