0Pricing
HTML Academy · Lesson

iframe Security Clickjacking and X-Frame-Options

Prevent clickjacking attacks with X-Frame-Options and CSP.

What is Clickjacking?

Clickjacking (UI redressing) embeds a target site in a transparent iframe over a decoy page. The user thinks they're clicking the decoy but actually clicks the hidden, authenticated page below — executing actions on the target site without knowledge.

Clickjacking Attack Mechanics

The attacker loads victim.com in a transparent iframe positioned over a "Click to win!" button. When the user clicks, they actually click victim.com's "Delete Account" button — authenticated as themselves in victim.com's session cookie. No phishing required.

All lessons in this course

  1. The iframe Element src and sandbox
  2. iframe Security Clickjacking and X-Frame-Options
  3. The embed and object Elements
  4. Lazy Loading iframes
← Back to HTML Academy