Shipsafershipsafer.ai
ShipSafer
Scan a site
Web Security

Clickjacking

Clickjacking is an attack where a malicious page embeds a legitimate site in an invisible iframe and tricks users into clicking on its controls while thinking they're interacting with the malicious page. It can be used to make users unknowingly authorize payments, change account settings, or perform other actions. Prevention requires the X-Frame-Options header set to DENY or SAMEORIGIN, or the CSP frame-ancestors directive. Most modern frameworks set anti-clickjacking headers by default.

Official documentation

Why it matters for your website

  • 1Listed in the OWASP Top 10 — one of the most critical web risks
  • 2Can lead to data exfiltration, account takeover, or full system compromise
  • 3Required to fix before passing security reviews for enterprise customers

Check your site for Clickjacking issues

Run a free scan to see if your domain has any Clickjacking-related vulnerabilities or misconfigurations.

Related Terms

Browse Glossary

View all 85 terms

Free Security Scan

See your SSL, headers, CORS, DNS, and email security score in seconds.