Skip to main content

How to Protect Yourself and Your Website from Clickjacking


 The good news is that clickjacking can be prevented — both by users and website owners.

Here’s what you can do.

If You’re a Website Owner

1. Add X-Frame-Options

This tells browsers whether your site is allowed to be loaded inside an iframe.
Using:

  • DENY → no site can embed yours.

  • SAMEORIGIN → only your own domain can embed your pages.

2. Use a Stronger CSP Rule

Content Security Policy lets you decide who can load your site in a frame:

Content-Security-Policy: frame-ancestors 'self';

3. Avoid Putting Sensitive Actions in Frames

If a button performs an important function (payment, settings, etc.), keep it outside iframes.

If You’re a Regular User

  • Don’t trust shady download/play buttons.

  • Keep your browser updated.

  • Use an ad-blocker or iframe-blocking extension.

  • Don’t click random links from unknown sites.

Final Thoughts

Clickjacking works because it targets people, not systems.
The best defense is awareness — knowing how the trick works makes you much harder to fool.


REFERENCES 

How to Protect Yourself and Your Website from Clickjacking

  1. MDN Web Docs. X-Frame-Options HTTP Header.
    https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

  2. Google Web.dev. Content Security Policy – frame-ancestors Directive.
    https://web.dev/csp/

  3. OWASP Defense Guide. Clickjacking Defense Cheat Sheet.
    https://owasp.org/www-community/attacks/Clickjacking

Comments

Post a Comment

Popular posts from this blog

Welcome to My Blog

 Hi! Thanks for stopping by. This blog is all about clickjacking —a sneaky type of attack that most people don’t even know is happening while they browse the internet. I created this space because I wanted to explain this topic in a simple and easy way, without using heavy technical words or confusing explanations. Here, I’ll be sharing what clickjacking is, how it actually works, real examples you might have seen online, and how you can protect yourself from it. Everything is written from a normal person’s point of view, so you can understand it even if you’re completely new to cybersecurity. Feel free to explore the posts, learn at your own pace, and hopefully become a bit more aware of what’s going on behind the clicks you make every day.
Post a Comment
Read more

Hidden Clicks, Real Damage: Clickjacking Case Studies

  Case Study 1: Social Media LikeJacking Scam Background A popular social media platform saw a sudden increase in suspicious “Likes” on random pages. Users complained that they never clicked “Like,” yet their profile was promoting unknown pages. What Happened Attackers created a website offering “Watch Free Movies.” A big orange Play button appeared on the page. But behind that button, a hidden Facebook Like button was placed using a transparent iframe. When users clicked Play → they unknowingly liked a spam page. Impact Thousands of users unknowingly boosted fake pages The spam pages gained followers quickly Those pages later spread phishing and scam links Lesson Simple UI manipulation can trick even experienced users. Social media platforms must ensure critical actions (like, share, follow) cannot be executed inside frames. Case Study 2: Online Banking Clickjacking Fraud Background A regional bank noticed several customers reporting unauthorized fund tra...
1 comment
Read more