X-FRAME-OPTIONS is shown twice and X-XSS-PROTECTION is shown wrong

The webserver may be adding headers to responses in addition to those sent by PHP. We can check which headers the webserver adds by creating an empty HTML file in the public directory, such as public/dummy.html

Then, visit that page in the browser, http://example.com/dummy.html, and check which headers the response includes. Alternatively, we can use the curl command to show the response headers:

$ curl -I 'http://example.com/dummy.html'HTTP/2 200date: Mon, 16 Oct 2017 20:34:24 GMT...x-xss-protection: 1; mode=blockx-frame-options: SAMEORIGIN

If we see the x-xss-protection or x-frame-options headers in this output, it means that the webserver is sending these headers. There may be a corrupted value for x-xss-protection in the webserver configuration (it looks like someone pasted stylized double quotation marks (“…”) instead of straight quotes ("…") which the server interprets as part of the header's value).

For nginx, look for add_header ... directives in the configuration files. If using Apache httpd, check for Header set ... directives in the server config or the .htaccess file.

It also appears as if the site uses the Incapsula CDN, which may be injecting the headers as well, but I couldn't find any information in the Incapsula documentation that suggests this is the case.

Laravel Socialite does not add these headers to responses.