How does the "Clickjacking protection" check work?

Clickjacking involves overlaying the target site in an invisible iframe on another site, then tricking the user into clicking elements of the target site without realising it. For example, overlaying a "Confirm transfer" button over what appears to be a game. X-Frame-Options and CSP frame-ancestors prevent this framing.

Why does the "Clickjacking protection" check matter?

Clickjacking attacks can cause authenticated users to perform sensitive actions (bank transfers, security setting changes, likes/shares) without their consent. X-Frame-Options is easy to add and almost entirely eliminates this attack vector.

How to fix "Clickjacking protection"?

**Modern method (recommended)**: add `frame-ancestors 'self'` to your existing Content-Security-Policy. **Classic method**: add the `X-Frame-Options: SAMEORIGIN` header (Apache: `Header always set X-Frame-Options "SAMEORIGIN"`). If your site needs to be iframed by a specific partner, replace `'self'` with their URL in the CSP directive.

Security Check n°8 / 120

Clickjacking protection

Clickjacking involves overlaying the target site in an invisible iframe on another site, then tricking the user into clicking elements of th…

Analyse my site for free

← All checks

What is it?

Understanding "Clickjacking protection"

Clickjacking (or UI redressing) is an attack technique that overlays your site in an invisible <iframe> on top of a malicious page. The visitor thinks they are clicking on an element of the visible page (a game, an ad), but they are actually clicking a button on your site loaded in the hidden iframe. The attacker can thus trigger sensitive actions by authenticated users — confirming a transfer, changing a password, posting content — without their consent.

Two complementary protection mechanisms exist: the X-Frame-Options header (legacy method, supported by all browsers) and the frame-ancestors directive in Content-Security-Policy (modern method, more precise).

❌ Clickjacking attack — without protection

🎮 Visible page (game, contest…) — what the user sees

🔒 Your site in invisible iframe — "Confirm" button

🖱️ User clicks "Play" → triggers "Confirm payment" on your site

✅ With X-Frame-Options: SAMEORIGIN

Malicious site tries to embed in iframe

→ browser blocks ✓

How we check it

How TheSiteFuse checks "Clickjacking protection"

TheSiteFuse retrieves the HTTP response headers and checks for the presence of X-Frame-Options with a SAMEORIGIN or DENY value, and/or the frame-ancestors directive in the Content-Security-Policy. If at least one of the two mechanisms is present with a restrictive value, the check passes.

Risks if it fails

Why "Clickjacking protection" matters

Without clickjacking protection, your visitors are vulnerable to subtle attacks:

Involuntary actions — a logged-in user can unknowingly confirm a transaction, delete data or change security settings.
Likejacking — on social networks, clickjacking can trigger likes, shares or follows without consent.
Advanced phishing — overlaying your login form in an iframe allows the attacker to capture credentials by intercepting the submit event.
GDPR compliance — forcing a user to accept cookies via clickjacking may constitute a legal violation.

How to fix

Fix "Clickjacking protection" step by step

Recommended — CSP frame-ancestors directive

Apache:

Header always set Content-Security-Policy "...; frame-ancestors 'self'"

Compatibility — X-Frame-Options

Apache:

Header always set X-Frame-Options "SAMEORIGIN"

Nginx:

add_header X-Frame-Options "SAMEORIGIN" always;

Note: X-Frame-Options: ALLOW-FROM is deprecated and not supported by Chrome/Firefox. Use frame-ancestors in CSP for specific origins.

Verify

curl -I https://yoursite.com | grep -iE "x-frame|content-security"

Learn more

Reference resource

To deepen your understanding of the technical concepts behind this check, see the dedicated Wikipedia article.

Wikipedia — Clickjacking protection

Does your site pass this check?

Run the free full audit (120 checks) and instantly discover what needs fixing.

Previous Content-Security-Policy (CSP) Next Permissions-Policy header