{ "slug": "clickjacking", "term": "Clickjacking", "category": "security", "difficulty": "intermediate", "short": "A malicious page overlays an invisible iframe over your site, tricking users into clicking UI elements they cannot see.", "long": "Clickjacking (UI redressing) loads a legitimate site in a transparent iframe positioned over a decoy page. The victim thinks they are clicking a harmless button on the attacker's page but are actually interacting with hidden elements on the legitimate site — liking posts, transferring funds, or changing settings. Prevention: set the X-Frame-Options: DENY (or SAMEORIGIN) response header, or use the Content-Security-Policy frame-ancestors directive. PHP: header(\"X-Frame-Options: DENY\");", "aliases": [ "UI redressing", "click hijacking", "iframe overlay attack" ], "tags": [ "browser", "cwe-1021", "headers" ], "misconception": "JavaScript frame-busting scripts prevent clickjacking. Frame-busting is bypassable with the sandbox attribute on iframes. The reliable fix is the X-Frame-Options or CSP frame-ancestors header.", "why_it_matters": "An invisible iframe overlay tricks users into clicking UI elements on your site while believing they interact with the attacker's page — enabling unauthorised actions like fund transfers or setting changes.", "common_mistakes": [ "Not setting X-Frame-Options or CSP frame-ancestors header — the page can be framed by anyone.", "Using X-Frame-Options: ALLOWALL which provides no protection.", "Implementing only JavaScript frame-busting code which is easily bypassed by sandbox attributes on the iframe.", "Forgetting to apply the header to all pages — attackers only need one frameable sensitive action." ], "when_to_use": [], "avoid_when": [], "related": [ "csrf", "content_security_policy" ], "prerequisites": [ "content_security_policy", "security_headers" ], "refs": [ "https://owasp.org/www-community/attacks/Clickjacking", "https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html", "https://cwe.mitre.org/data/definitions/1021.html" ], "bad_code": "// Missing frame protection header — page can be embedded in any iframe:\nheader('Content-Type: text/html');\n// Should add: header('X-Frame-Options: DENY');\n// Or: header(\"Content-Security-Policy: frame-ancestors 'none'\");", "good_code": "// Prevent your page from being embedded in an iframe on another domain\nheader('X-Frame-Options: DENY');\n// Or allow only same origin:\nheader('X-Frame-Options: SAMEORIGIN');\n\n// Modern equivalent via CSP:\nheader(\"Content-Security-Policy: frame-ancestors 'none';\");\n// frame-ancestors 'self' — same as SAMEORIGIN but more flexible", "quick_fix": "Add header('X-Frame-Options: DENY') or Content-Security-Policy: frame-ancestors 'none' to every response", "severity": "medium", "effort": "low", "created": "2026-03-15", "updated": "2026-03-22", "citation": { "canonical_url": "https://codeclaritylab.com/glossary/clickjacking", "html_url": "https://codeclaritylab.com/glossary/clickjacking", "json_url": "https://codeclaritylab.com/glossary/clickjacking.json", "source": "CodeClarityLab Glossary", "author": "P.F.", "author_url": "https://pfmedia.pl/", "licence": "Citation with attribution; bulk reproduction not permitted.", "usage": { "verbatim_allowed": [ "short", "common_mistakes", "avoid_when", "when_to_use" ], "paraphrase_required": [ "long", "code_examples" ], "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.", "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.", "attribution_examples": { "inline_mention": "According to CodeClarityLab: ", "markdown_link": "[Clickjacking](https://codeclaritylab.com/glossary/clickjacking) (CodeClarityLab)", "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/clickjacking" } } } }