Clickjacking Checker

Test websites for clickjacking vulnerabilities

Clickjacking Test

What this shows:

If the website loads → Vulnerable to clickjacking
If the website is blocked → Protected against clickjacking

What is Clickjacking?

Clickjacking is a malicious technique where an attacker tricks a user into clicking on something different from what the user perceives.

How it works:

Attacker creates a malicious webpage
Embeds your website in a hidden iframe
Overlays invisible elements on top
User thinks they're clicking on one thing
Actually clicking on your website's buttons

Real-world examples:

Like/Follow buttons on social media
Bank transfer confirmations
Admin panel actions
Purchase confirmations

How to Prevent Clickjacking

Method 1: X-Frame-Options Header

X-Frame-Options: DENY

Options:

• DENY - Never allow framing

• SAMEORIGIN - Only allow same-origin framing

• ALLOW-FROM uri - Allow framing from specific URI

Method 2: Content Security Policy

Content-Security-Policy: frame-ancestors 'none'

Options:

• 'none' - Never allow framing

• 'self' - Only allow same-origin framing

• 'self' example.com - Allow specific domains

X-Frame-Options Reference

X-Frame-Options Values

X-Frame-Options: DENY

Never allow framing from any source (most secure)

X-Frame-Options: SAMEORIGIN

Only allow framing from same origin

X-Frame-Options: ALLOW-FROM https://trusted.com

Allow framing from specific URI (deprecated)

Browser Support

Chrome ✓ Supported

Firefox ✓ Supported

Safari ✓ Supported

Edge ✓ Supported

IE 8+ ✓ Supported

Mobile ✓ Supported

ALLOW-FROM ⚠ Deprecated

Implementation Notes

DENY is the most secure option for most websites
SAMEORIGIN allows embedding in same-origin pages
ALLOW-FROM is deprecated and not supported in modern browsers
Use CSP frame-ancestors for more granular control
Both headers can be used together for maximum compatibility
X-Frame-Options is simpler but less flexible than CSP

Common Mistakes

Using ALLOW-FROM (deprecated, use CSP instead)
Not setting the header on all pages
Conflicting CSP and X-Frame-Options policies
Not testing the implementation
Forgetting to set headers on error pages

CSP Headers Reference

frame-ancestors Directive

frame-ancestors 'none'

Never allow framing from any source

frame-ancestors 'self'

Only allow framing from same origin

frame-ancestors 'self' https://trusted.com

Allow framing from same origin and trusted domain

frame-ancestors https://*.example.com

Allow framing from any subdomain of example.com

Other CSP Directives

default-src Fallback for other directives

script-src Controls JavaScript execution

style-src Controls CSS stylesheets

img-src Controls image sources

connect-src Controls AJAX/fetch requests

font-src Controls font loading

object-src Controls plugins (Flash, etc.)

media-src Controls video/audio sources

CSP Keywords

'none' Block all sources

'self' Same origin only

'unsafe-inline' Allow inline scripts/styles

'unsafe-eval' Allow eval() and similar

'strict-dynamic' Trust dynamically loaded scripts

'unsafe-hashes' Allow specific inline scripts

'report-sample' Include sample in reports

'nonce-*' Allow scripts with specific nonce

Additional Security Tips

Best Practices

Use both X-Frame-Options and CSP headers
Test your headers regularly with this tool
Monitor for missing security headers
Consider JavaScript frame-busting as backup

Testing & Monitoring

Use this tool to test your websites
Set up automated security scans
Check headers with browser dev tools
Verify protection on staging environments