What is Clickjacking
Clickjacking is a malicious technique that tricks a web user into clicking on something different from what they perceive, potentially revealing confidential information or allowing attackers to take control of their computer while interacting with seemingly harmless web pages.
For example, an attacker may create a web page with a button labeled “Click here for a free iPod.” On top of this page, the attacker places an invisible iframe containing the user’s email account, aligning the “delete all messages” button directly over the “free iPod” button. When the user clicks the “free iPod” button, they actually trigger the “delete all messages” action. This hijacking of user clicks is why the technique is called Clickjacking.
The risk arises when a server does not return an X-Frame-Options header. This HTTP header indicates whether a browser is allowed to render a page in a <frame>, <iframe>, or <object>. By using it, sites can prevent clickjacking by ensuring their content is not embedded in other sites.
X-Frame-Options Header
Set the X-Frame-Options header for all responses containing HTML content. The possible values are:
- DENY – Prevents any domain from framing the content. Recommended unless framing is specifically needed.
- SAMEORIGIN – Allows only the current site to frame the content.
- ALLOW-FROM uri – Permits the specified URI to frame the page (e.g.,
ALLOW-FROM http://www.example.com). Note: this may fail if the browser does not support it.
Examples of Configuration
Apache:
Header always set X-Frame-Options SAMEORIGIN
Header set X-Frame-Options DENY
Header set X-Frame-Options "ALLOW-FROM https://example.com/"Nginx:
add_header X-Frame-Options SAMEORIGIN;IIS: Add the following to your site’s Web.config file:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>Using the X-Frame-Options header properly helps protect your website from clickjacking attacks.
