What is Clickjacking?
An attack that tricks users into clicking on something different from what they perceive, by layering transparent or opaque elements over a web page.
Clickjacking uses invisible iframes or overlays to hijack your clicks, making you perform unintended actions.
How It Works
- Attacker creates a page with an invisible iframe of a target site
- The target site's button (like "Delete Account" or "Allow Camera") is positioned under the attacker's button
- User clicks what appears to be a harmless button
- The click actually hits the hidden target site's button
- The action is performed with the user's existing session/cookies
Protection (Users)
- Use a browser with good clickjacking protection
- Be cautious of pages that seem to require unusual clicking
- NoScript extension can block framing
Protection (Developers)
- Set
X-Frame-Options: DENYorSAMEORIGINheader - Use CSP
frame-ancestorsdirective - Implement frame-busting JavaScript as a fallback
Related Terms
Content Security Policy (CSP)
An HTTP security header that tells the browser which sources of content are allowed to load on a page, preventing cross-site scripting and data injection attacks.
Phishing
A social engineering attack where attackers impersonate legitimate entities through fake emails, websites, or messages to trick victims into revealing sensitive information like passwords, credit card numbers, or personal data.
Social Engineering
Psychological manipulation techniques used to trick people into revealing confidential information or performing actions that compromise security. Social engineering exploits human trust rather than technical vulnerabilities.
Have more questions?
Use our guided flow to get the right next privacy step for Clickjacking.
Open Guided Flow