How to Prevent Clickjacking in Laravel: A Complete Guide

What is Clickjacking and Why You Need to Prevent It

Clickjacking is a malicious technique where attackers trick users into clicking on something different from what they perceive, essentially by embedding a page within a transparent iframe. This can lead to harmful consequences, such as data leakage or unwanted actions being performed on the user's behalf.

If you're working with Laravel, it's crucial to protect your application from this kind of attack. This guide will explain what Clickjacking is, how it works, and provide a coding example to secure your Laravel application using simple yet effective techniques.

How Does Clickjacking Work?

In a typical Clickjacking attack, an attacker might embed a legitimate website into a hidden iframe. The attacker overlays transparent elements or buttons on top of the iframe, misleading users into interacting with the iframe instead of the visible content. This could lead to unintended actions like changing settings, making purchases, or submitting forms.

Steps to Prevent Clickjacking in Laravel

Laravel provides multiple ways to mitigate the risk of Clickjacking attacks. The most effective approach is to set the X-Frame-Options header in your HTTP response. This prevents your website from being embedded in an iframe, which is the primary technique used in Clickjacking.

Step 1: Adding X-Frame-Options in Laravel

You can add the X-Frame-Options header globally to your Laravel application by modifying the HTTP middleware. Laravel makes it simple to customize headers through the app/Http/Middleware/ directory.

Here’s a sample code to add the X-Frame-Options header to all HTTP responses:

namespace App\Http\Middleware;

use Closure;

class PreventClickjacking

{

    /**

     * Handle an incoming request.

     *

     * @param  \Illuminate\Http\Request  $request

     * @param  \Closure  $next

     * @return mixed

     */

    public function handle($request, Closure $next)

    {

        $response = $next($request);

        $response->headers->set('X-Frame-Options', 'DENY');

        return $response;

    }

}

Step 2: Registering the Middleware

To apply this middleware globally, register it in the app/Http/Kernel.php file:

protected $middleware = [

    \App\Http\Middleware\PreventClickjacking::class,

    // Other global middleware

];

Now, your Laravel app will reject any attempt to load its pages inside an iframe, preventing Clickjacking.

Using Content Security Policy (CSP)

Another effective way to prevent Clickjacking is by using a Content Security Policy (CSP). This method not only protects against Clickjacking but also guards against various other vulnerabilities, such as Cross-Site Scripting (XSS).

To enable CSP in Laravel, add the following header to your responses:

$response->headers->set('Content-Security-Policy', "frame-ancestors 'none'");

Testing for Clickjacking Vulnerabilities

After securing your Laravel application, it’s important to test whether these protections are working as expected. Use tools like the free Website Security Checker to scan your website and identify potential vulnerabilities.

Here’s a screenshot of the tool test website security free that can help you analyze and protect your website.

Screenshot of the free tools webpage where you can access security assessment tools.