.htaccess X-Frame-Options header not set for some Laravel routes

Question

We have a Laravel application (Laravel 5.6.35) where we set the X-Frame-Options header using .htaccess in the /public folder.

<IfModule mod_rewrite.c>
    ...
</IfModule>
<IfModule mod_headers.c>
  # Prevent click jacking
  Header set X-Frame-Options Deny
  Header always append X-Frame-Options SAMEORIGIN
</IfModule>

This works fine on the local development environment (Laravel, PHP 7.1.23, Apache2, Debian 8.11 on Vagrant). All responses have the X-Frame-Options header set.

Whith exactly the same setup (except it's not Vagrant) on the testing server only the static content (css, js, images) contains the X-Frame-Options header, but all Laravel-generated content (anything that goes through index.php) does not have the X-Frame-Options header set.

How can there be a different result from seemingly the same setups?
How can we set X-Frame-Options header for all routes?

(the headers_module is enabled on both servers)

Answer 1

In the end I added X-Frame-Options both to .htaccess and as a middleware in Laravel. This way both Laravel routes and static content like /css and /public work fine.

File: app/Http/Kernel.php

protected $middlewareGroups = [
    'web' => [
        ...,
        \App\Http\Middleware\XFrameHeaders::class,
    ]
],

New file: app/Http/Middleware/XFrameHeaders.php

<?php namespace App\Http\Middleware;
use Closure;
class XFrameHeaders {
    public function handle($request, Closure $next)
    {
        $response = $next($request);
        $response->header('X-Frame-Options', 'deny');
        //add more headers here
        return $response;
    }
}

And in .htaccess (remove the 'header always append' part):

<IfModule mod_headers.c>
  # Prevent click jacking
  Header set X-Frame-Options Deny
</IfModule>