SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
medium Headers

Clickjacking Protection

Clickjacking is an attack where a malicious website embeds your site in a hidden or transparent iframe and tricks users into clicking on your site's buttons — like confirming a purchase, changing account settings, or clicking Like on social media — without realising it.

What SecurityStatus Checks

  • Whether X-Frame-Options is set to DENY or SAMEORIGIN
  • Whether Content-Security-Policy includes a frame-ancestors directive
  • Whether both X-Frame-Options and CSP frame-ancestors are present (belt and braces)

Why This Matters

Clickjacking can be used to trick users into performing actions they did not intend — changing privacy settings, making purchases, authorising OAuth applications, and more. It requires no vulnerabilities in your code — just the ability to embed your site in an iframe.

How to Fix It

  1. 1

    Add X-Frame-Options header

    The simplest fix: add `X-Frame-Options: SAMEORIGIN` to all responses. This prevents your site from being embedded in iframes on other domains. Use DENY if you do not need your site to be iframed even by your own subdomains.

  2. 2

    Add CSP frame-ancestors

    The modern replacement for X-Frame-Options: add `Content-Security-Policy: frame-ancestors 'self'` to allow only same-origin embedding, or `frame-ancestors 'none'` to block all embedding. CSP frame-ancestors takes precedence over X-Frame-Options in modern browsers.

  3. 3

    Use both for compatibility

    Since some older browsers only support X-Frame-Options and some modern browsers prioritise CSP, use both: `X-Frame-Options: SAMEORIGIN` and `Content-Security-Policy: frame-ancestors 'self'`.

Frequently Asked Questions

Does clickjacking require the user to be logged in?
Not always. But clickjacking is most harmful when the victim is authenticated, because the clicks perform authenticated actions. Unauthenticated clickjacking can still be used for ad fraud or social engineering.
What if I legitimately need my site embedded in an iframe?
Use CSP frame-ancestors with an explicit list of trusted origins: `frame-ancestors 'self' https://trusted-partner.com`. Never use frame-ancestors 'none' if you have legitimate iframe use cases.
Is X-Frame-Options deprecated?
X-Frame-Options is still widely supported and should be used alongside CSP for maximum compatibility. CSP frame-ancestors is the modern standard but X-Frame-Options is not harmful to include.

Related Guides

critical Security Headers Read Guide critical CORS Configuration Read Guide medium Cookie Security Read Guide

Check Your Domain Now

Run all 38 security checks including Clickjacking Protection and get your domain's security grade in under 2 minutes.

Scan Your Domain Free