Clickjacking mitigation

Indicators

• Security

Impact

(How ScanGov measures tasklist priorities.)

About

Clickjacking is a malicious attack where users are tricked into clicking on links or user interface elements on a site that appears to be a trusted and familiar site. This is typically accomplished by embedding part or all of the trusted site into the malicious site using an <iframe>.

The X-Frame-Options (XFO) header and the frame-ancestors directive in the Content-Security-Policy (CSP) header can mitigate clickjacking attacks by controlling how a site can be embedded within an $lt;iframe>.

Why it's important

Prevents malicious websites from tricking users into clicking hidden elements, enhancing site security and protecting user actions.

User stories

As a user, I want to safely click buttons and links so I'm not tricked into doing something I didn't mean to.

Error

(ScanGov messaging when a site fails a standard)

Page is not protected from possible clickjacking by containing frames.

Guidance

• OWASP Top 10

Links

• Clickjacking (Mozilla)
• Clickjacking (OWASP)

Related

• Content security policy (CSP)
• HTTP Strict Transport Security (HSTS)
• security.txt
• X-Content-Type-Options
• Errors in the console
• Clickjacking mitigation
• Paste preventing inputs