CodeClarityLab / Glossary
Ctrl K
← CodeClarityLab Home
Browse by Category
+ added · updated 7d
⚖ Terms of Use
← Back to glossary

Clickjacking & CSP frame-ancestors

security CWE-1021 OWASP A4:2021 CVSS 6.1 PHP 5.0+ Intermediate

Also Known As

frame-ancestors directive CSP clickjacking prevention

TL;DR

Tricking users into clicking hidden UI elements by overlaying a transparent iframe — prevented by CSP frame-ancestors or the X-Frame-Options header.

Explanation

Clickjacking (UI redressing) embeds a target site in a transparent iframe, positioned over a decoy page. The victim believes they are clicking the decoy UI but actually interact with the hidden target — completing a purchase, changing a password, or granting OAuth permissions. The modern defence is the Content-Security-Policy frame-ancestors directive: frame-ancestors 'none' disallows all framing; frame-ancestors 'self' permits same-origin only; frame-ancestors https://trusted.com restricts to named origins. X-Frame-Options (DENY or SAMEORIGIN) is the legacy equivalent supported by older browsers. CSP frame-ancestors takes precedence where supported and is more granular. PHP: add both headers in a middleware for defence-in-depth.

Common Misconception

X-Frame-Options and CSP frame-ancestors do exactly the same thing. frame-ancestors is more flexible (supports multiple origins) and overrides X-Frame-Options in modern browsers — but X-Frame-Options still matters for older browser support.

Why It Matters

CSP's frame-ancestors directive supersedes X-Frame-Options and provides more granular framing control — specifying exactly which origins may embed the page prevents clickjacking with a single header.

Common Mistakes

  • Using X-Frame-Options DENY without also setting CSP frame-ancestors — older header is ignored by modern browsers in some contexts.
  • Setting frame-ancestors 'self' when the page legitimately needs to be embedded by a partner domain — too restrictive.
  • Not setting frame-ancestors at all when X-Frame-Options is the only protection — some browsers prioritise CSP.
  • Deploying frame-ancestors only on sensitive pages and missing others that trigger sensitive actions.

Code Examples

✗ Vulnerable 
// Only X-Frame-Options — no CSP frame-ancestors:
header('X-Frame-Options: DENY');
// Modern browsers may ignore this if CSP is present without frame-ancestors

// Complete protection:
header('X-Frame-Options: DENY');  // Legacy browsers
header("Content-Security-Policy: frame-ancestors 'none'");  // Modern browsers
✓ Fixed 
header("Content-Security-Policy: frame-ancestors 'none'");
header('X-Frame-Options: DENY'); // legacy fallback
Added 15 Mar 2026
Edited 22 Mar 2026
Views 18

Curated in Warsaw under one editorial standard. 1,444 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
1 ping W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 1 ping M 0 pings T 0 pings W 0 pings T 1 ping F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 0 pings M 0 pings T 0 pings W 1 ping T
Agents 1
No pings yesterday
Amazonbot 5 Perplexity 4 Google 2 Unknown AI 2 Ahrefs 1 SEMrush 1
Also referenced
Database Transactions 29 Cross-Site Request Forgery (CSRF) 29 Content Security Policy (CSP) 26 CORS Misconfiguration 23
How they use it
crawler 14 crawler_json 1
Related categories
security 4k database 1.5k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Add Content-Security-Policy: frame-ancestors 'none' — it supersedes X-Frame-Options and gives more granular control over who can embed your page
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
Missing both X-Frame-Options and CSP frame-ancestors; page embeddable in arbitrary iframes
Auto-detectable: ✓ Yes owasp-zap lighthouse semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: File
CWE-1021 CWE-79
✓ schema.org compliant