Update StatusController

app/Http/Controllers/StatusController.php

@@ -95,7 +95,7 @@ class StatusController extends Controller
         $showCaption = $request->filled('caption') && $request->caption !== false;
         $layout = $request->filled('layout') && $request->layout == 'compact' ? 'compact' : 'full';
         $content = view('status.embed', compact('status', 'showLikes', 'showCaption', 'layout'));
-        return response($content)->withHeaders(['x-frame-options' => 'ALLOWALL']);
+        return response($content)->withHeaders(['X-Frame-Options' => 'ALLOWALL']);
     }
 
     public function showObject(Request $request, $username, int $id)

app/Http/Kernel.php

@@ -29,6 +29,7 @@ class Kernel extends HttpKernel
     protected $middlewareGroups = [
         'web' => [
             \App\Http\Middleware\EncryptCookies::class,
+            \App\Http\Middleware\FrameGuard::class,
             \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
             \Illuminate\Session\Middleware\StartSession::class,
             // \Illuminate\Session\Middleware\AuthenticateSession::class,

app/Http/Middleware/FrameGuard.php

@@ -0,0 +1,26 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class FrameGuard
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        $response = $next($request);
+
+        if (!$response->headers->has('X-Frame-Options')) {
+            $response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
+        }
+
+        return $response;
+    }
+}