What Clickjacking Is
Clickjacking tricks a user into interacting with a target site that has been loaded invisibly, usually inside a transparent frame layered over a decoy page. The user thinks they are clicking the decoy, but their click lands on a sensitive control such as a confirm or delete button on the framed site.
Why It Works
- The browser sends the user's session cookies to the framed site as usual.
- The attacker controls the layout and transparency, so the user cannot see what they actually click.
- Any state changing action reachable by a single click can be hijacked this way.
Defenses
- Send a frame ancestors directive in your Content Security Policy to control who may embed the page.
- Use the X Frame Options header as a fallback for older browsers, set to deny or same origin.
- Require an extra confirmation or re authentication for high impact actions.
Key idea
Clickjacking abuses invisible framing, so declare who may embed your pages with frame ancestors and X Frame Options, and protect critical actions with confirmation.