Clickjacking Attacks and How to Prevent Them

robertino.calcaterra · October 30, 2020, 2:31pm

Learn how clickjacking attacks implement visual tricks to capture users’ clicks, and how you can prevent them by applying client-side and server-side solutions.
Read more…

Brought for you by @andrea.chiarelli

robertino.calcaterra · October 30, 2020, 4:00pm

Let us know if you have any questions in the comments below!

andrea.chiarelli · October 30, 2020, 5:47pm

Share your thoughts about clickjacking attacks and defenses

konrad.sopala · May 1, 2021, 4:00pm

This topic was automatically closed after 58 days. New replies are no longer allowed.

cameron_martens_rrez · December 6, 2022, 8:11pm

There’s a mistake in the article:
Where it talks about combining the X-Frame-Options and Content-Security-Policy headers, the article says “If both headers are specified, X-Frame-Options takes priority.” This is the exact opposite of what the link to the spec says: “If a resource is delivered with a policy that includes a directive named frame-ancestors and whose disposition is enforce, then the X-Frame-Options header will be ignored.”

andrea.chiarelli · December 7, 2022, 10:48am

Hi @cameron_martens_rrez,
Thank you very much for noticing and reporting this mistake. I corrected the article.
BTW, welcome to the Auth0 Community!

mmikulski · January 23, 2024, 1:40pm

Andrea, thank you for this detailed writeup; I know its been a couple of years since you put it together, but it was really helpful for someone unaware of ‘clickjacking.’ Have there been any new developments on this front in the past few years, that would cause a defense to diverge significantly from what you describe here?

andrea.chiarelli · January 23, 2024, 2:36pm

Hi @mmikulski,
Welcome to the Auth0 Community, and thank you for appreciating my blog post.
As far as I know, the core concepts behind clickjacking attacks and clickjacking defense are still valid. Anyway, the primary resource for updates is the OWASP website.

kyogendranathreddy · April 23, 2024, 11:46am

Hi andrea,so I tried to prevent clickjacking by using DENY option in X-Frame-Options it’s not working,then I tried with CSP that one is also not working,can you please help me with this.

andrea.chiarelli · April 29, 2024, 5:25pm

Hey @kyogendranathreddy,
Are you having problems with the example application attached to the article or in your own application?
In the latter case, please make sure that the browser receives the headers correctly by inspecting the HTTP responses.

Topic		Replies	Views
Clickjacking via iframes Help security	5	4497	August 29, 2019
Clickjacking Protection in Classic Universal Login! Announcements auth0 , login , universal-login , click-jacking	2	8446	September 3, 2019
Prevent iframe clickjacking (using X-Frame-Options header) Help security	4	4090	September 2, 2019
X-Frame-Options: SAMEORIGIN Help auth0 , login	5	5610	December 21, 2019
Make Content-Security-Policy frame-ancestors directive configurable for New Universal Login Feedback security , new-universal-login	14	3138	October 10, 2024

Clickjacking Attacks and How to Prevent Them

Related topics