CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Clickjacking & CSP frame-ancestors

Security CWE-1021 OWASP A4:2021 CVSS 6.1 PHP 5.0+ Intermediate
debt(d5/e1/b3/t5)
d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches' (d5). The term's detection_hints.tools lists owasp-zap, lighthouse, and semgrep — all specialist security/audit tools that can detect missing frame-ancestors or X-Frame-Options headers. These aren't default linters but dedicated security scanners.

e1 Effort Remediation debt — work required to fix once spotted

Closest to 'one-line patch' (e1). The quick_fix is literally 'Add Content-Security-Policy: frame-ancestors 'none'' — a single header addition that can be done in one line of code or server configuration.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The applies_to shows this is web-context only, and setting CSP headers is typically done in one place (middleware, server config, or a base controller). Once set, it doesn't impose ongoing maintenance burden on the rest of the codebase.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap' (t5). The misconception explicitly states developers believe 'X-Frame-Options and CSP frame-ancestors do exactly the same thing' when frame-ancestors actually overrides X-Frame-Options in modern browsers. Common mistakes include using X-Frame-Options alone thinking it's sufficient, or not understanding browser prioritisation between the two headers. This is a documented gotcha most security-aware devs eventually learn.

About DEBT scoring → scored by claude-opus-4-5-20251101 · 2026-05-06 · reviewed by human

Also Known As

frame-ancestors directive CSP clickjacking prevention

TL;DR

Tricking users into clicking hidden UI elements by overlaying a transparent iframe — prevented by CSP frame-ancestors or the X-Frame-Options header.

Explanation

Clickjacking (UI redressing) embeds a target site in a transparent iframe, positioned over a decoy page. The victim believes they are clicking the decoy UI but actually interact with the hidden target — completing a purchase, changing a password, or granting OAuth permissions. The modern defence is the Content-Security-Policy frame-ancestors directive: frame-ancestors 'none' disallows all framing; frame-ancestors 'self' permits same-origin only; frame-ancestors https://trusted.com restricts to named origins. X-Frame-Options (DENY or SAMEORIGIN) is the legacy equivalent supported by older browsers. CSP frame-ancestors takes precedence where supported and is more granular. PHP: add both headers in a middleware for defence-in-depth.

Common Misconception

X-Frame-Options and CSP frame-ancestors do exactly the same thing. frame-ancestors is more flexible (supports multiple origins) and overrides X-Frame-Options in modern browsers — but X-Frame-Options still matters for older browser support.

Why It Matters

CSP's frame-ancestors directive supersedes X-Frame-Options and provides more granular framing control — specifying exactly which origins may embed the page prevents clickjacking with a single header.

Common Mistakes

  • Using X-Frame-Options DENY without also setting CSP frame-ancestors — older header is ignored by modern browsers in some contexts.
  • Setting frame-ancestors 'self' when the page legitimately needs to be embedded by a partner domain — too restrictive.
  • Not setting frame-ancestors at all when X-Frame-Options is the only protection — some browsers prioritise CSP.
  • Deploying frame-ancestors only on sensitive pages and missing others that trigger sensitive actions.

Code Examples

✗ Vulnerable 
// Only X-Frame-Options — no CSP frame-ancestors:
header('X-Frame-Options: DENY');
// Modern browsers may ignore this if CSP is present without frame-ancestors

// Complete protection:
header('X-Frame-Options: DENY');  // Legacy browsers
header("Content-Security-Policy: frame-ancestors 'none'");  // Modern browsers
✓ Fixed 
header("Content-Security-Policy: frame-ancestors 'none'");
header('X-Frame-Options: DENY'); // legacy fallback
Added 15 Mar 2026
Edited 22 Mar 2026
Views 45

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W 2 pings T 1 ping F 0 pings S 2 pings S 1 ping M 2 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 0 pings S 1 ping S 1 ping M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 6 Scrapy 6 Perplexity 4 SEMrush 4 Ahrefs 3 Bing 3 Google 2 Unknown AI 2 Claude 2 ChatGPT 2 Meta AI 1 PetalBot 1
Also referenced
Cross-Site Request Forgery (CSRF) 84 Database Transactions 75 Content Security Policy (CSP) 60 CORS Misconfiguration 49
How they use it
crawler 31 crawler_json 5
Related categories
security 7.9k database 2.9k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Low
⚡ Quick Fix
Add Content-Security-Policy: frame-ancestors 'none' — it supersedes X-Frame-Options and gives more granular control over who can embed your page
📦 Applies To
PHP 5.0+ web
🔗 Prerequisites
🔍 Detection Hints
Missing both X-Frame-Options and CSP frame-ancestors; page embeddable in arbitrary iframes
Auto-detectable: ✓ Yes owasp-zap lighthouse semgrep
⚠ Related Problems
🤖 AI Agent
Confidence: High False Positives: Low ✓ Auto-fixable Fix: Low Context: File
CWE-1021 CWE-79
✓ schema.org compliant