A clickjacking attack tricks users into clicking on something different from what they perceive.
Attacker creates a malicious webpage and embeds your site in a hidden iframe.
Invisible elements are overlaid on top of your real buttons.
User clicks what they see — but triggers actions on your site without knowing.
Use HTTP response headers to block iframe embedding:
DENY — never allow framingSAMEORIGIN — same-origin onlyNever allow framing (most secure).
Only allow same-origin framing.
⚠ Deprecated — use CSP instead!
Block all framing.
Same-origin only.
Specific allowlist.
All subdomains of example.com.
DENY unless you need same-origin embedding.