Clickjacking — also called a UI redress attack — embeds your site invisibly inside an <iframe> on an attacker's page. The user thinks they are clicking a button on the page they are viewing, but the click lands on your site underneath, potentially confirming a purchase, changing settings, or granting OAuth permissions while the user is logged in.
Why it matters
Even a fully patched application can be hijacked through clickjacking if any third party can frame it. Successful attacks have been used to harvest webcam access, hijack social media follows, and trigger one-click money transfers and OAuth approvals. The fix is essentially a one-line response header, so leaving the door open is pure unforced risk and a finding that automated security scans flag immediately.
How to fix it
- Send
X-Frame-Options: DENYto forbid framing entirely, orSAMEORIGINif you embed your own pages. - In a CSP, set
frame-ancestors 'self'(or an explicit allowlist).frame-ancestorssupersedesX-Frame-Optionsin modern browsers and supports multiple sources. - Pair with CSRF tokens on state-changing requests so a stolen click cannot complete a sensitive action without a valid token.
- Test by loading your URL inside an
<iframe>from a different origin in DevTools — the browser should refuse to render it. - Also harden related headers like Referrer Policy and Permissions Policy.