From 2b63386f9f78f4dfc11311a6ce49c806effdf023 Mon Sep 17 00:00:00 2001
From: Dennis Eichhorn <spl1nes.com@googlemail.com>
Date: Fri, 15 Jul 2016 17:30:27 +0200
Subject: [PATCH] fixes #50

Security headers are now locked after set once.
---
 Message/Http/Header.php | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/Message/Http/Header.php b/Message/Http/Header.php
index 68b48af3c..bbc45e8ae 100644
--- a/Message/Http/Header.php
+++ b/Message/Http/Header.php
@@ -123,9 +123,18 @@ class Header extends HeaderAbstract
             throw new \Exception('Already locked');
         }
 
+        $key = strtolower($key);
+
         if (!$overwrite && isset($this->header[$key])) {
             return false;
-        } elseif ($overwrite) {
+        } elseif ($overwrite && isset($this->header[$key])) {
+            if($key === 'content-security-policy' ||
+                $key === 'x-xss-protection' ||
+                $key === 'x-content-type-options' ||
+                $key === 'x-frame-options') {
+                throw new \Exception('Cannot change security headers.');
+            }
+
             unset($this->header[$key]);
         }