Clickjacking is a technique used by hackers to trick the user into clicking on a hidden element of some other website, Which may result in downloading malware, visiting a malicious webpage, or doing unintended things.
Generally, Clickjacking is done by loading the target website inside a hidden or transparent iframe. This transparent iframe is loaded on top of the existing webpage, so the user will only see the existing page. Still, when clicking on some elements like button, link, actually victim click on the target site, which may have significant consequences.
Consider an example; You received a mail saying
You win special lucky draw...Visit to claim.
Then you visit that site, which looks like a lucky draw website. Then there may some element to trick you into clicking on it, like
Spin and win!
You will click on it to win, but an attacker may load some malicious or unintended site and click on it!
- Users may visit a malicious page.
- Users may do the unintended transaction.
- Use Header
x-frame-options: SAMEORIGINwhich will avoid yoursite.com loaded as iframe on any other domain.
- Use Header
Content-Security-Policy(This is updation
Content-Security-Policy: frame-ancestors 'none';Use this if you are not using iframe anywhere.
Content-Security-Policy: frame-ancestors 'self';Iframe is possible only on same site.
Content-Security-Policy: frame-ancestors 'self' *.ourothersite.comIframe is possible only on same site and ourothersite.com.
Create HTML page as below
<html> <head> <title>Clickjack test page</title> </head> <body> <p>Website is vulnerable to clickjacking!</p> <iframe src="https://yoursite.com" width="500" height="500"></iframe> </body> </html>
yoursite.comwith you website domain, Save it.
Open html page in browser and see if your website is loading there?
- Yes? ==> Your Website is vulnerable to Clickjacking.
- No? ==> Your website is safe from Clickjacking.