Protecting your Laravel website from iframe embeds

Published in Laravel, PHP on Oct 1, 2022

By default Laravel does not prevent your application from being embedded from other sites. This is bad for various reasons, such as security risks, SEO problem, iframe usability issues, etc...

Although Laravel does not prevent your application from being iframe embedded by default, it does come with FrameGuard out of the box. It sets X-Frame-Options to sameorigin, this tells by browsers to display the iframe or not.

To enable it, edit:

app/Http/Kernel.php

You can add it to the protected $middleware property which will enable it across your application:

Copied!

1protected $middleware = [
2    .
3    ..
4    ...
5    \Illuminate\Http\Middleware\FrameGuard::class,
6];

protected $middleware = [
    .
    ..
    ...
    \Illuminate\Http\Middleware\FrameGuard::class,
];

Alternatively you can add it to protected $routeMiddleware to have more granular control over what routes to apply to:

Copied!

1protected $routeMiddleware = [
2    .
3    ..
4    ...
5    'frameGuard' => \Illuminate\Http\Middleware\FrameGuard::class,
6];

protected $routeMiddleware = [
    .
    ..
    ...
    'frameGuard' => \Illuminate\Http\Middleware\FrameGuard::class,
];

In your routes file you would do

Copied!

1Route::get('/user/profile', function () {
2    //
3})->middleware('frameGuard')->name('profile');

Route::get('/user/profile', function () {
    //
})->middleware('frameGuard')->name('profile');