Learn how clickjacking attacks implement visual tricks to capture users’ clicks, and how you can prevent them by applying client-side and server-side solutions.
Read more…
Brought for you by @andrea.chiarelli
Learn how clickjacking attacks implement visual tricks to capture users’ clicks, and how you can prevent them by applying client-side and server-side solutions.
Read more…
Brought for you by @andrea.chiarelli
Let us know if you have any questions in the comments below!
Share your thoughts about clickjacking attacks and defenses
This topic was automatically closed after 58 days. New replies are no longer allowed.
There’s a mistake in the article:
Where it talks about combining the X-Frame-Options
and Content-Security-Policy
headers, the article says “If both headers are specified, X-Frame-Options
takes priority.” This is the exact opposite of what the link to the spec says: “If a resource is delivered with a policy that includes a directive named frame-ancestors
and whose disposition is enforce
, then the X-Frame-Options
header will be ignored.”
Hi @cameron_martens_rrez,
Thank you very much for noticing and reporting this mistake. I corrected the article.
BTW, welcome to the Auth0 Community!
Andrea, thank you for this detailed writeup; I know its been a couple of years since you put it together, but it was really helpful for someone unaware of ‘clickjacking.’ Have there been any new developments on this front in the past few years, that would cause a defense to diverge significantly from what you describe here?
Hi @mmikulski,
Welcome to the Auth0 Community, and thank you for appreciating my blog post.
As far as I know, the core concepts behind clickjacking attacks and clickjacking defense are still valid. Anyway, the primary resource for updates is the OWASP website.