Created: 2023-10-05 11:29:11
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Most threats like phishing and malware are well known and understood by users, others like "clickjacking" remain less familiar. The term "clickjacking" is a compound of "click" and "hijacking". It refers to a malicious technique where attackers trick users into clicking on something different from what they perceive. In essence, an attacker can "hijack" clicks and make users perform unintended actions.
Clickjacking is typically accomplished using a combination of embedded content and a transparent layer. This is a simplified breakdown of the process:
Attackers create a page and embed a legitimate web page,
e.g. a login to a service, by using an IFRAME
.
The attackers arrange an invisible (transparent) frame on top of the IFRAME
with the legitimate page.
They also place invisible controls on that frame at the same position as the controls of the legitimate page.
The attackers now lure the user to open the page in a browser, e.g. via a phishing email.
↓When the user attempts to interact with what they see, they are unknowingly interacting with the hidden layer. This causes them to perform actions they do not intend, like downloading malware, submitting credentials, or making online transactions.
Successful clickjacking attacks may have severe consequences:
X-Frame-Options
HTTP response header for all your websitesContent-Security-Policy
frame-ancestors
directiveThe second option obsoletes the first in all modern browsers.
Clickjacking is a subtle yet significant threat. By understanding its mechanisms and by staying updated with preventive measures, users can navigate the web in a secure manner. Webmasters should implement the technical measures described in this post.
Google Safe Browsing
MDN (Mozilla Developer Network): X-Frame-Options
MDN (Mozilla Developer Network): Content-Security-Policy
Can I use: HTTP header: Content-Security-Policy: frame-ancestors
Created: 2023-10-05 11:29:11
Support options