# Clickjacking Analyzer PRO
| Category | Severity | Time To Fix |
|---|---|---|
| 🛡️ Security | Major | 5 minutes |
Class: Enlightn\EnlightnPro\Analyzers\Security\ClickjackingAnalyzer
# Introduction
This analyzer checks whether your application sets the X-Frame-Options security header to protect against clickjacking attacks. This header indicates whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object> tag.
If you are rendering pages in any of the above tags on your application, you would not be able to set this header. In this case, you may choose to ignore this analyzer.
# How To Fix
You can add the X-Frame-Options header in your web server configuration.
For Nginx, you may use the add_header directive in your server or location block:
add_header X-Frame-Options "SAMEORIGIN";
For Apache, you may use the Header directive in your <VirtualHost>, <Directory> or <Location> container:
Header always set X-Frame-Options "SAMEORIGIN"
Alternatively, if you do not wish to set the header at the web server level, you may add the FrameGuard middleware to the web middleware group in your App\Http\Kernel class:
/**
* The application's route middleware groups.
*
* @var array
*/
protected $middlewareGroups = [
'web' => [
\Illuminate\Http\Middleware\FrameGuard::class,
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
// \Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
'api' => [
'throttle:api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];