What is clickjacking and how to defend against it?

Short answer

Clickjacking tricks users into clicking hidden elements layered over a legitimate page. Defenses include X-Frame-Options and CSP frame-ancestors headers.

How it works

An attacker embeds a target website inside a transparent iframe on their own malicious page. Visible buttons or links entice the user to click, but the click is captured by the invisible iframe, performing an unintended action like changing account settings.

Example

A malicious site displays a "Win a Prize" button positioned directly over a bank's "Transfer Funds" button inside a hidden iframe. The user believes they are entering a contest but authorizes a payment.

Why it matters

Clickjacking abuses user trust and can lead to unauthorized transactions, data deletion, or permission grants. Frame-busting headers are simple to implement and highly effective.