Home/ Glossary/ Clickjacking

Clickjacking (Clickjacking)

Security Glossary - Web Security

Definition: Clickjacking is an attack where a malicious website embeds a target site in a transparent iframe and tricks users into clicking elements on the hidden site. The user sees and interacts with the visible malicious page, but their clicks actually hit buttons or links on the transparent overlay of the legitimate site.

The Essentials

  • Tricks users into clicking hidden elements by overlaying transparent iframes
  • Can capture clicks on buttons, links, and form submissions
  • Prevented by X-Frame-Options or CSP frame-ancestors directive
  • Also called UI redress attack
  • Particularly dangerous for one-click actions like payments or permission grants

Why You Should Care About Clickjacking

Clickjacking can trick users into performing actions they did not intend - liking social media posts, confirming financial transactions, changing account settings, or granting permissions. The attack is effective because the user sees a completely different page from what they are actually clicking on.

The primary defenses are the X-Frame-Options header (set to DENY or SAMEORIGIN) and the CSP frame-ancestors directive (set to 'none' or 'self'). Both prevent your pages from being embedded in frames on other sites, which is the prerequisite for clickjacking attacks.

JavaScript frame-busting code (checking if window.top === window.self) was an older defense but is unreliable because it can be circumvented. HTTP headers are the definitive solution because they are enforced by the browser before any page code runs.

Testing Your Configuration

A security audit checks for X-Frame-Options and CSP frame-ancestors headers. Both should be set to prevent unauthorized framing. If your site never needs to be embedded in iframes, use the strictest settings (DENY / 'none').

Run a Security Audit

Questions and Answers

How do I prevent clickjacking?
Set the X-Frame-Options header to DENY (or SAMEORIGIN if you need self-framing) and the CSP frame-ancestors directive to 'none' (or 'self'). Both headers should be set for maximum compatibility.
Can clickjacking steal passwords?
Not directly, because the attacker's page does not have access to the content of the framed page (same-origin policy prevents that). However, clickjacking can trick users into clicking login buttons, permission grants, or other actions on the hidden legitimate site.

Learn More

X-Frame-Options frame-ancestors CSP Directive Content Security Policy Security Headers Overview Cross-Site Request Forgery
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.