What Is Clickjacking?

Clickjacking (UI redressing) is an attack where a malicious website embeds your legitimate site in a transparent iframe and overlays it with a decoy UI. Users think they are clicking on the visible page, but they are actually clicking hidden buttons on your site — authorizing payments, changing settings, or granting permissions.

Types of Clickjacking?

Classic Clickjacking

Your site is loaded in a transparent iframe positioned over a fake button.

<iframe src="https://bank.com/transfer?to=attacker&amount=1000" style="opacity:0;position:absolute;top:0;left:0;width:100%;height:100%"></iframe>

Likejacking

Social media buttons (Like, Follow, Share) are hidden under innocuous elements, tricking users into social actions.

Cursorjacking

The visible cursor position is offset from the actual cursor position, causing users to click on different elements than they intend.

How to Prevent It

# 1. X-Frame-Options header (legacy but widely supported)
X-Frame-Options: DENY

# 2. CSP frame-ancestors directive (modern, more flexible)
Content-Security-Policy: frame-ancestors 'none'

# 3. JavaScript frame-buster (fallback for very old browsers)
<style>body { display: none; }</style>
<script>
  if (self === top) {
    document.body.style.display = 'block';
  } else {
    top.location = self.location;
  }
</script>

# 4. SameSite cookies prevent authenticated clickjacking
Set-Cookie: session=abc; SameSite=Strict

Real-World Impact

Unauthorized actions on the victim's behalf — fund transfers, account setting changes, social media interactions, permission grants (camera, microphone), and downloading malware.

Related Questions

• X Frame Options
• Content Security Policy
• What Is Csrf
• What Is Xss

Scan your system prompt with LochBot — free, client-side, no data sent anywhere.