iframe Security Clickjacking and X-Frame-Options
Prevent clickjacking attacks with X-Frame-Options and CSP.
What is Clickjacking?
Clickjacking (UI redressing) embeds a target site in a transparent iframe over a decoy page. The user thinks they're clicking the decoy but actually clicks the hidden, authenticated page below — executing actions on the target site without knowledge.
Clickjacking Attack Mechanics
The attacker loads victim.com in a transparent iframe positioned over a "Click to win!" button. When the user clicks, they actually click victim.com's "Delete Account" button — authenticated as themselves in victim.com's session cookie. No phishing required.
All lessons in this course
- The iframe Element src and sandbox
- iframe Security Clickjacking and X-Frame-Options
- The embed and object Elements
- Lazy Loading iframes