I have made an App that has recently gone through a penetration test. I am required to set the X-Frame options in the application to SAMEORIGIN. This is to prevent clickjacking. I believe this is possible in the App.yaml file, but I am not sure how to implement something like this. I have scanned the docs and still can't work out how to deny, only allow.
handlers:
- url: /.*
script: public/index.php
http_headers:
X-Frame-Options SAMEORIGIN
I have found a solution to this using a Middleware within Laravel 5.1
The middleware is called FrameGuard and is stored at the following
Illuminate\Http\Middleware\FrameGuard
To enable this add the following line to the protected middleware array
'Illuminate\Http\Middleware\FrameGuard',
This sets the frame header option to SAMEORIGIN, which can be changed if required.
This prevents the Clickjacking vulnerability in a Laravel application