EduardoSP6/laravel-x-frame-options.txt

## laravel-x-frame-options.txt
1- Create a Middleware:

$ php artisan make:middleware XFrameHeadersMiddleware

Content:

<?php

namespace App\Http\Middleware;

use Closure;

class XFrameHeadersMiddleware
{
    /**
     * Handle an incoming request.
     *
     * @param  \Illuminate\Http\Request  $request
     * @param  \Closure  $next
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        /**
         * This middleware was created to prevent OWASP warnings, like:
         *
         * The X-Frame-Options header is not set in the HTTP response, meaning the page can potentially be loaded into
         * an attacker-controlled frame. This could lead to clickjacking, where an attacker adds an invisible layer on
         * top of the legitimate page to trick users into clicking on a malicious link or taking a harmful action.
         *
         * The X-Frame-Options allows three values: DENY, SAMEORIGIN and ALLOW-FROM. It is recommended to use DENY,
         * which prevents all domains from framing the page or SAMEORIGIN, which allows framing only by the same site.
         * DENY and SAMEORGIN are supported by all browsers. Using ALLOW-FROM is not recommended because not all browsers support it.
         *
         * For more information, access: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
         *
         */
        $response = $next($request);
        $response->headers->set('X-Frame-Options', 'SAMEORIGIN');
        return $response;
    }
}

2- Add this to one of the middleware arrays in Kernel.php:

    protected $middleware = [
        \App\Http\Middleware\XFrameHeadersMiddleware::class,
    ];
	1- Create a Middleware:

	$ php artisan make:middleware XFrameHeadersMiddleware

	Content:

	<?php

	namespace App\Http\Middleware;

	use Closure;

	class XFrameHeadersMiddleware
	{
	/**
	* Handle an incoming request.
	*
	* @param \Illuminate\Http\Request $request
	* @param \Closure $next
	* @return mixed
	*/
	public function handle($request, Closure $next)
	{
	/**
	* This middleware was created to prevent OWASP warnings, like:
	*
	* The X-Frame-Options header is not set in the HTTP response, meaning the page can potentially be loaded into
	* an attacker-controlled frame. This could lead to clickjacking, where an attacker adds an invisible layer on
	* top of the legitimate page to trick users into clicking on a malicious link or taking a harmful action.
	*
	* The X-Frame-Options allows three values: DENY, SAMEORIGIN and ALLOW-FROM. It is recommended to use DENY,
	* which prevents all domains from framing the page or SAMEORIGIN, which allows framing only by the same site.
	* DENY and SAMEORGIN are supported by all browsers. Using ALLOW-FROM is not recommended because not all browsers support it.
	*
	* For more information, access: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
	*
	*/
	$response = $next($request);
	$response->headers->set('X-Frame-Options', 'SAMEORIGIN');
	return $response;
	}
	}

	2- Add this to one of the middleware arrays in Kernel.php:

	protected $middleware = [
	\App\Http\Middleware\XFrameHeadersMiddleware::class,
	];