CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Clickjacking

Security CWE-1021 OWASP A4:2021 CVSS 6.5 PHP 5.0+ Intermediate
debt(d5/e1/b3/t5)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches' (d5). The term's detection_hints.tools lists semgrep, lighthouse, and owasp-zap — all specialist security/audit tools that scan for missing X-Frame-Options or CSP frame-ancestors headers. Standard linters won't catch this; you need SAST or security-focused scanners.

e1 Effort Remediation debt — work required to fix once spotted

Closest to 'one-line patch' (e1). The quick_fix is literally adding a single header call: header('X-Frame-Options: DENY') or the CSP equivalent. This is a one-line fix per response, and can be applied globally via middleware with minimal effort.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). Applies only to web contexts per applies_to. Once you add the header globally (via middleware or framework config), the burden is minimal. However, common_mistakes notes you must remember to apply it to all pages, creating a small ongoing tax when adding new endpoints.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5). The misconception field explicitly states that developers believe JavaScript frame-busting scripts prevent clickjacking, when in fact they're easily bypassed via iframe sandbox attributes. This is a documented gotcha that most security-aware devs eventually learn, but the 'obvious' JS solution doesn't work.

About DEBT scoring → scored by claude-opus-4-5-20251101 · 2026-05-06 · reviewed by human

Also Known As

UI redressing click hijacking iframe overlay attack

TL;DR

A malicious page overlays an invisible iframe over your site, tricking users into clicking UI elements they cannot see.

Explanation

Clickjacking (UI redressing) loads a legitimate site in a transparent iframe positioned over a decoy page. The victim thinks they are clicking a harmless button on the attacker's page but are actually interacting with hidden elements on the legitimate site — liking posts, transferring funds, or changing settings. Prevention: set the X-Frame-Options: DENY (or SAMEORIGIN) response header, or use the Content-Security-Policy frame-ancestors directive. PHP: header("X-Frame-Options: DENY");

How It's Exploited

<!-- Attacker page: invisible iframe over a "Win a prize!" button -->
<iframe src="https://bank.com/transfer" style="opacity:0;position:absolute"></iframe>
<button>Claim prize!</button>
<!-- Click on 'Claim prize' actually clicks Transfer button on bank site -->

Common Misconception

JavaScript frame-busting scripts prevent clickjacking. Frame-busting is bypassable with the sandbox attribute on iframes. The reliable fix is the X-Frame-Options or CSP frame-ancestors header.

Why It Matters

An invisible iframe overlay tricks users into clicking UI elements on your site while believing they interact with the attacker's page — enabling unauthorised actions like fund transfers or setting changes.

Common Mistakes

  • Not setting X-Frame-Options or CSP frame-ancestors header — the page can be framed by anyone.
  • Using X-Frame-Options: ALLOWALL which provides no protection.
  • Implementing only JavaScript frame-busting code which is easily bypassed by sandbox attributes on the iframe.
  • Forgetting to apply the header to all pages — attackers only need one frameable sensitive action.

Code Examples

✗ Vulnerable 
// Missing frame protection header — page can be embedded in any iframe:
header('Content-Type: text/html');
// Should add: header('X-Frame-Options: DENY');
// Or: header("Content-Security-Policy: frame-ancestors 'none'");
✓ Fixed 
// Prevent your page from being embedded in an iframe on another domain
header('X-Frame-Options: DENY');
// Or allow only same origin:
header('X-Frame-Options: SAMEORIGIN');

// Modern equivalent via CSP:
header("Content-Security-Policy: frame-ancestors 'none';");
// frame-ancestors 'self' — same as SAMEORIGIN but more flexible
Added 15 Mar 2026
Edited 22 Mar 2026
Views 58

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 1 ping W 1 ping T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 1 ping W 2 pings T 1 ping F 2 pings S 1 ping S 2 pings M 0 pings T 0 pings W 1 ping T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 2 pings M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Google 9 Amazonbot 9 Scrapy 8 Perplexity 7 ChatGPT 6 SEMrush 3 Claude 2 Ahrefs 2 Meta AI 1 PetalBot 1
Also referenced
Cross-Site Request Forgery (CSRF) 84 Content Security Policy (CSP) 60
How they use it
crawler 40 crawler_json 8
Related categories
security 7.9k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Add header('X-Frame-Options: DENY') or Content-Security-Policy: frame-ancestors 'none' to every response
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
Missing X-Frame-Options or frame-ancestors CSP directive in response headers
Auto-detectable: ✓ Yes semgrep lighthouse owasp-zap
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: File
CWE-1021
✓ schema.org compliant