Skip to main content

Clickjacking

Test for Clickjacking

<style>
    iframe {
        position:relative;
        width:700px;
        height: 700px;
        opacity: 0.1;
        z-index: 2;
    }
    div {
        position:absolute;
        top:450px;
        left:60px;
        z-index: 1;
    }
</style>
<div>Click me</div>
<iframe id="victim_website" src="[URL]" sandbox="allow-forms"></iframe>

Recommendations

OWASP Clickjacking Defense Cheat Sheet

1. Set Content Security Policy (CSP) with `frame-ancestors`:

Add the following header to your web server configuration to prevent your pages from being embedded in an iframe.

For Apache (add to your .htaccess file):

apacheCopy codeHeader always set Content-Security-Policy "frame-ancestors 'self'"

This configuration allows your content to only be embedded by pages from the same domain ('self'). If you need to allow specific external domains, add them as shown below:

apacheCopy codeHeader always set Content-Security-Policy "frame-ancestors 'self' https://trustedwebsite.com"

For Nginx:

nginxCopy codeadd_header Content-Security-Policy "frame-ancestors 'self'";