Clickjacking Attacks and How to Prevent Them

Learn how clickjacking attacks implement visual tricks to capture users’ clicks, and how you can prevent them by applying client-side and server-side solutions.
Read more…

Brought for you by @andrea.chiarelli

1 Like

Let us know if you have any questions in the comments below! :speaking_head:

1 Like

Share your thoughts about clickjacking attacks and defenses :muscle:

1 Like

This topic was automatically closed after 58 days. New replies are no longer allowed.

There’s a mistake in the article:
Where it talks about combining the X-Frame-Options and Content-Security-Policy headers, the article says “If both headers are specified, X-Frame-Options takes priority.” This is the exact opposite of what the link to the spec says: “If a resource is delivered with a policy that includes a directive named frame-ancestors and whose disposition is enforce, then the X-Frame-Options header will be ignored.”

2 Likes

Hi @cameron_martens_rrez,
Thank you very much for noticing and reporting this mistake. :pray: I corrected the article.
BTW, welcome to the Auth0 Community! :wave:

1 Like

Andrea, thank you for this detailed writeup; I know its been a couple of years since you put it together, but it was really helpful for someone unaware of ‘clickjacking.’ Have there been any new developments on this front in the past few years, that would cause a defense to diverge significantly from what you describe here?

Hi @mmikulski,
Welcome to the Auth0 Community, and thank you for appreciating my blog post.
As far as I know, the core concepts behind clickjacking attacks and clickjacking defense are still valid. Anyway, the primary resource for updates is the OWASP website.