Clickjacking: How Invisible Iframes Steal Your Users' Clicks

How the Attack Works

Clickjacking (UI redress attack) is a user interface attack: the attacker creates a decoy page that embeds your site in an <iframe> rendered invisible (opacity: 0), positioned exactly over an enticing button ("Win a gift!"). When the user clicks that button, they are actually clicking a button on your site — for example "Confirm a $500 transfer" or "Delete my account".

The user has no visual indication of what is really happening. The attack works because the browser sends the user's session cookies with the request, so the action is executed on their behalf.

Real Cases and History

Clickjacking is not theoretical. Some documented examples:

• Facebook Like Button Hijacking (2009): malicious pages tricked users into liking content without their knowledge, generating fraudulent viral spread.
• Vote and rating manipulation: attackers hijacked rating systems to artificially inflate scores.
• Webcam activation via Flash (2008): an Adobe Flash iframe enabled webcam activation without visible consent.

Protection 1: The X-Frame-Options Header

The X-Frame-Options HTTP header controls whether your page can be embedded in an iframe. Three possible values:

• DENY: your page can never be embedded in an iframe, regardless of the domain.
• SAMEORIGIN: embedding is allowed only if the parent page is on the same domain.
• ALLOW-FROM uri: allows a specific domain — obsolete, not supported by modern browsers.

# Apache — httpd.conf or .htaccess
Header always set X-Frame-Options "DENY"

Protection 2: CSP frame-ancestors

The Content-Security-Policy (CSP) frame-ancestors directive is the modern and recommended method. It supersedes X-Frame-Options and offers more flexibility:

• frame-ancestors 'none': equivalent to DENY — no iframe allowed.
• frame-ancestors 'self': equivalent to SAMEORIGIN.
• frame-ancestors https://partner.com: allows only a specific domain.

# Apache
Header always set Content-Security-Policy "frame-ancestors 'none'"

Unlike X-Frame-Options, CSP frame-ancestors supports multiple domains and subdomain wildcards.

Which Protection to Choose?

The current recommendation is to combine both for maximum compatibility:

• CSP frame-ancestors takes precedence in browsers that support it (all modern browsers).
• X-Frame-Options remains useful for older browsers that do not support CSP.

Frame-busting JavaScript (the old technique using if (top !== self) top.location = self.location) is easily bypassed via the iframe's sandbox attribute and should no longer be considered sufficient protection.

Protect Your Site Against Clickjacking

Setting up these headers takes less than five minutes but protects all your users. Run a free audit to check whether your site is vulnerable to clickjacking and detect all missing security headers.