EasyFrontend Security📖 Theory Question

What is clickjacking and how do you prevent it?

💡

Hint

Attacker overlays your page in a transparent iframe — victim clicks on attacker UI but triggers your authenticated actions; prevent with frame-ancestors CSP

Full Answer

Clickjacking is an attack where a malicious page embeds your site in a transparent <iframe>. The victim sees the attacker's UI but their clicks land on your page's controls (like a "Transfer Funds" button).

Prevention methods:

1. Content-Security-Policy: frame-ancestors (preferred)

Content-Security-Policy: frame-ancestors 'none';
// or allow only same origin:
Content-Security-Policy: frame-ancestors 'self';

2. X-Frame-Options (legacy, still supported)

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

frame-ancestors in CSP supersedes X-Frame-Options and supports more granular control (e.g., allow specific partners).

3. Frame-busting JS (weak, not recommended)

if (window.top !== window.self) window.top.location = window.location;

Attackers can defeat this with sandbox attribute on the iframe. Always use HTTP headers instead.

More Frontend Security Questions

EasyWhat is XSS (Cross-Site Scripting) and how do you prevent it?EasyWhat is CSRF and how do SameSite cookies and CSRF tokens prevent it?EasyWhat is a Content Security Policy (CSP) and how does it work?EasyWhat security HTTP response headers should every production frontend set?

Practice this in a timed sprint →

5 free questions, no signup required

⚡ Start Sprint