Clickjacking in Laravel with Hmac Signatures

Clickjacking relies on tricking a user into interacting with a hidden or disguised UI element inside an iframe. In Laravel, Hmac Signatures are often used to protect webhook endpoints or signed URLs (e.g., for confirming events or authorizing actions). If you expose a signed endpoint that performs a sensitive action without also enforcing protections against UI redressing, an attacker can embed that signed URL inside an invisible frame and induce a logged-in user to load it, triggering the action while the Hmac validates successfully due to a predictable or leaked signature.

Consider a Laravel route that accepts a signed query string generated with Hmac Signatures. If the route returns a page with an embedded form or JavaScript that performs a state-changing request, and the page is rendered inside an attacker-controlled site via <iframe> or <img>, the browser will send the cookies (including session) along with the signed request. Because the Hmac is valid and the user is authenticated, Laravel may execute the action, believing it is intentional. This is a classic UI redress scenario where Hmac alone does not prevent the interaction from being embedded.

Insecure implementation patterns include generating a signature based only on route and parameters without including a per-request nonce or a user-specific token, and then using that signature in a page that is not protected by X-Frame-Options or Content-Security-Policy frame-ancestors. For example, a route like /confirm-action?order_id=123&signature=... might be rendered in a page that allows framing. Even though the signature prevents tampering with the parameters, it does nothing to stop an attacker from making the user load that URL inside a malicious frame and tricking the UI into performing the action via user interaction (e.g., clicking a transparent button over the iframe).

Real-world attack patterns include abusing Laravel Octane or standard route + view setups where a signed URL is sent to a user (for example, as part of an email link) and then that link is exposed in a context that can be framed. The vulnerability is not in Hmac Signatures per se, but in how the signed response is delivered and framed. Without anti-framing controls and careful design, Hmac Signatures can give a false sense of security against clickjacking.

To mitigate clickjacking when using Hmac Signatures in Laravel, combine signature integrity with anti-framing defenses and ensure signatures include contextual bindings that prevent reuse in embedded pages.

1. Frame protection headers

Ensure responses that contain signed links or pages are not embeddable. Add the following headers in your app/Http/Middleware/HandleCors.php or a dedicated middleware:

// In a middleware handle($request, $next)
$response = $next($request);
$response->headers->set('X-Frame-Options', 'DENY');
$response->headers->set('Content-Security-Policy', "frame-ancestors 'none'");
return $response;

2. Include nonce/user context in the Hmac

Bind the signature to a per-request nonce and the authenticated user ID to prevent replay in a different context. Example using Laravel’s hash_hmac:

$userId = auth()->id();
$nonce = Str::random(20);
$expires = now()->addMinutes(10)->timestamp;
$data = "{$userId}|{$expires}|{$nonce}|{$orderId}";
$signature = hash_hmac('sha256', $data, config('app.key'));
$url = route('confirm-action', [
    'user_id' => $userId,
    'expires' => $expires,
    'nonce' => $nonce,
    'order_id' => $orderId,
    'signature' => $signature
]);

On verification:

$userId = $request->input('user_id');
$expires = $request->input('expires');
$nonce = $request->input('nonce');
$orderId = $request->input('order_id');
$provided = $request->input('signature');
$data = "{$userId}|{$expires}|{$nonce}|{$orderId}";
$expected = hash_hmac('sha256', $data, config('app.key'));

if (!hash_equals($expected, $provided)) {
    abort(403, 'Invalid signature');
}
if (now()->timestamp > $expires) {
    abort(403, 'Signature expired');
}
// Optionally check nonce uniqueness in cache to prevent replay

3. Use signed routes and avoid embedding sensitive actions in iframes

When generating links intended for user email or client-side navigation, prefer Laravel’s signed route capabilities and ensure the target page sets strict frame policies. For API-like flows, return JSON and avoid rendering views that can be framed. If you must render HTML, ensure it sets X-Frame-Options and Content-Security-Policy as shown above.

4. Example of a secure controller method

public function confirmAction(Request $request)
{
    $request->validate([
        'user_id' => 'required|integer',
        'expires' => 'required|integer',
        'nonce' => 'required|string',
        'order_id' => 'required|integer',
        'signature' => 'required|string',
    ]);

    $userId = $request->input('user_id');
    $expires = $request->input('expires');
    $nonce = $request->input('nonce');
    $orderId = $request->input('order_id');
    $provided = $request->input('signature');

    $data = "{$userId}|{$expires}|{$nonce}|{$orderId}";
    $expected = hash_hmac('sha256', $data, config('app.key'));

    if (!hash_equals($expected, $provided)) {
        abort(403, 'Invalid signature');
    }
    if (now()->timestamp > $expires) {
        abort(403, 'Signature expired');
    }

    // Proceed with the action, ensuring no sensitive rendering inside iframes
    return response()->json(['status' => 'confirmed']);
}