I've started building an ecommerce website using Laravel, and now I'm starting to become more concerned with the security side of things, when I start building the payment processing page.
I stumbled upon a bunch of headers I was missing and decided to add the proper ones. I added headers to all my links using a middleware called "Secure":
public function handle($request, Closure $next)
{
$response = $next($request);
$response->withHeaders([
'X-Frame-Options' => 'DENY',
'X-XSS-Protection' => '1; mode=block',
'X-Permitted-Cross-Domain-Policies' => 'master-only',
'X-Content-Type-Options' => 'nosniff',
'Referrer-Policy' => 'no-referrer-when-downgrade',
'Strict-Transport-Security' => 'max-age=31536000; includeSubDomains',
'Cache-Control' => 'no-cache, no-store, must-revalidate, post-check=0, pre-check=0',
'Pragma' => 'no-cache',
'Expires' => 'Sat, 26 Jul 1997 05:00:00 GMT',
]);
return $response;
}
Then I just route group all the links I want with these headers in the web.php file. Now all the other headers are showing up:
HTTP/1.1 200 OK
date: Mon, 20 Feb 2017 01:58:50 GMT
server: Apache/2.4.7 (Ubuntu)
cache-control: must-revalidate, no-cache, no-store, post-check=0, pre-check=0, private
x-xss-protection: 1; mode=block
x-permitted-cross-domain-policies: master-only
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=31536000; includeSubDomains
pragma: no-cache
expires: Sat, 26 Jul 1997 05:00:00 GMT
This is part of the header response and none of the response includes the X-Frame-Options, but does include the others. Even when I put my website through a header scanning site like securityheaders.io they detect it as a missing header. I was wondering what I could do to fix this, or if it is even an issue?
I should mention I've tried using the php header() function to similar results. Maybe something is deleting the X-Frame-Options header?
