Reputation: 2716
Google App Engine PHP setting x frame options to same origin
I have made an App that has recently gone through a penetration test. I am required to set the X-Frame options in the application to SAMEORIGIN. This is to prevent clickjacking. I believe this is possible in the App.yaml file, but I am not sure how to implement something like this. I have scanned the docs and still can't work out how to deny, only allow.
handlers:
- url: /.*
script: public/index.php
http_headers:
X-Frame-Options SAMEORIGIN
Upvotes: 1
Views: 1447
Answers (2)
Reputation: 13367
To anyone stumbling on this, the reason why the http_headers doesn't work, is because it can only be applied to static file handlers, as mentioned in the doc.:
Optional. You can set HTTP headers for responses of your static file or directory handlers. If you need to set HTTP headers in your script handlers, you should instead do that in your app's code.
Upvotes: 0
Reputation: 2716
I have found a solution to this using a Middleware within Laravel 5.1
The middleware is called FrameGuard and is stored at the following
Illuminate\Http\Middleware\FrameGuard
To enable this add the following line to the protected middleware array
'Illuminate\Http\Middleware\FrameGuard',
This sets the frame header option to SAMEORIGIN, which can be changed if required.
This prevents the Clickjacking vulnerability in a Laravel application
Upvotes: 1
Related Questions
- How to set X-Frame-Options in laravel project?
- X-Frame-Options: ALLOW-FROM in firefox and chrome
- X-Frame-Options on Apache
- How to add "X-Frame-Options" header in .htaccess file to protect against 'ClickJacking' attacks
- Respect X-Frame-Options with HTTP redirect
- Laravel refusing to display in iFrame as "'X-Frame-Options' to 'SAMEORIGIN'."
- X-Frame Options set as "DENY DENY"
- Laravel 4 refuses to load iframe due to 'X-Frame-Options' to 'SAMEORIGIN'
- Clickjacking protection using 'X-Frame-Options'?
- Load denied by X-Frame-Options: does not permit cross-origin framing