CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Clickjacking

security CWE-1021 OWASP A4:2021 CVSS 6.5 PHP 5.0+ Intermediate

Also Known As

UI redressing click hijacking iframe overlay attack

TL;DR

A malicious page overlays an invisible iframe over your site, tricking users into clicking UI elements they cannot see.

Explanation

Clickjacking (UI redressing) loads a legitimate site in a transparent iframe positioned over a decoy page. The victim thinks they are clicking a harmless button on the attacker's page but are actually interacting with hidden elements on the legitimate site — liking posts, transferring funds, or changing settings. Prevention: set the X-Frame-Options: DENY (or SAMEORIGIN) response header, or use the Content-Security-Policy frame-ancestors directive. PHP: header("X-Frame-Options: DENY");

How It's Exploited

<!-- Attacker page: invisible iframe over a "Win a prize!" button -->
<iframe src="https://bank.com/transfer" style="opacity:0;position:absolute"></iframe>
<button>Claim prize!</button>
<!-- Click on 'Claim prize' actually clicks Transfer button on bank site -->

Common Misconception

JavaScript frame-busting scripts prevent clickjacking. Frame-busting is bypassable with the sandbox attribute on iframes. The reliable fix is the X-Frame-Options or CSP frame-ancestors header.

Why It Matters

An invisible iframe overlay tricks users into clicking UI elements on your site while believing they interact with the attacker's page — enabling unauthorised actions like fund transfers or setting changes.

Common Mistakes

  • Not setting X-Frame-Options or CSP frame-ancestors header — the page can be framed by anyone.
  • Using X-Frame-Options: ALLOWALL which provides no protection.
  • Implementing only JavaScript frame-busting code which is easily bypassed by sandbox attributes on the iframe.
  • Forgetting to apply the header to all pages — attackers only need one frameable sensitive action.

Code Examples

✗ Vulnerable 
// Missing frame protection header — page can be embedded in any iframe:
header('Content-Type: text/html');
// Should add: header('X-Frame-Options: DENY');
// Or: header("Content-Security-Policy: frame-ancestors 'none'");
✓ Fixed 
// Prevent your page from being embedded in an iframe on another domain
header('X-Frame-Options: DENY');
// Or allow only same origin:
header('X-Frame-Options: SAMEORIGIN');

// Modern equivalent via CSP:
header("Content-Security-Policy: frame-ancestors 'none';");
// frame-ancestors 'self' — same as SAMEORIGIN but more flexible
Added 15 Mar 2026
Edited 22 Mar 2026
Views 27

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings W 0 pings T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 1 ping F 0 pings S 1 ping S 0 pings M 0 pings T 1 ping W 1 ping T 2 pings F 4 pings S 0 pings S 0 pings M 0 pings T 1 ping W 0 pings T 1 ping F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T
Agents 0
No pings yet today
No pings yesterday
Amazonbot 8 Perplexity 7 Google 6 ChatGPT 4
Also referenced
Cross-Site Request Forgery (CSRF) 29 Content Security Policy (CSP) 26
How they use it
crawler 20 crawler_json 5
Related categories
security 4k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Add header('X-Frame-Options: DENY') or Content-Security-Policy: frame-ancestors 'none' to every response
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
Missing X-Frame-Options or frame-ancestors CSP directive in response headers
Auto-detectable: ✓ Yes semgrep lighthouse owasp-zap
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: File
CWE-1021
✓ schema.org compliant