Clickjacking mitigation

The site prevents other websites from embedding its pages to trick users into clicking.

• Rescan
• Share
  • This page
  • LinkedIn
  • Bluesky
  • Mastodon
  • X
  • Email

Impact

ScanGov impact ratings

About

Clickjacking is a malicious attack where users are tricked into clicking on links or user interface elements on a site that appears to be a trusted and familiar site. This is typically accomplished by embedding part or all of the trusted site into the malicious site using an <iframe>.

The X-Frame-Options (XFO) header and the frame-ancestors directive in the Content-Security-Policy (CSP) header can mitigate clickjacking attacks by controlling how a site can be embedded within an $lt;iframe>.

Why it's important

Prevents malicious websites from tricking users into clicking hidden elements, enhancing site security and protecting user actions.

User stories

As a user, I want to safely click buttons and links so I'm not tricked into doing something I didn't mean to.

Code

Option 1 — X-Frame-Options header:

X-Frame-Options: DENY

Option 2 — Content Security Policy (preferred):

Content-Security-Policy: frame-ancestors 'none'

Error

ScanGov messaging when a site fails a standard:

Page is not protected from possible clickjacking by containing frames.

Guidance

• OWASP Top 10

Links

• Clickjacking (Mozilla)
• Clickjacking (OWASP)

Indicators

• Security