🔎 TEST A WEBSITE TOOL
💡 WHAT IS CLICKJACKING? EXPLAINER

⚠ The Attack

A clickjacking attack tricks users into clicking on something different from what they perceive.

1

Attacker creates a malicious webpage and embeds your site in a hidden iframe.

2

Invisible elements are overlaid on top of your real buttons.

3

User clicks what they see — but triggers actions on your site without knowing.

Real targets: Like buttons, bank transfers, admin actions, purchase confirmations.

✅ How to Prevent

Use HTTP response headers to block iframe embedding:

Method 1: X-Frame-Options
X-Frame-Options: DENY
  • DENY — never allow framing
  • SAMEORIGIN — same-origin only
Method 2: CSP
Content-Security-Policy:
frame-ancestors 'none'
📋 HEADER REFERENCE REFERENCE

X-Frame-Options Values

X-Frame-Options: DENY

Never allow framing (most secure).

X-Frame-Options: SAMEORIGIN

Only allow same-origin framing.

X-Frame-Options: ALLOW-FROM https://trusted.com

⚠ Deprecated — use CSP instead!

CSP frame-ancestors

frame-ancestors 'none'

Block all framing.

frame-ancestors 'self'

Same-origin only.

frame-ancestors 'self' https://trusted.com

Specific allowlist.

frame-ancestors https://*.example.com

All subdomains of example.com.


💡 Best Practices

  • Use both X-Frame-Options and CSP for maximum compatibility.
  • Set headers on all pages, including error pages.
  • Prefer DENY unless you need same-origin embedding.
  • Test regularly — security regressions happen!
  • Consider JavaScript frame-busting as a defense-in-depth backup.