Clickjacking Attacks and How to Prevent Them

Learn how clickjacking attacks implement visual tricks to capture users’ clicks, and how you can prevent them by applying client-side and server-side solutions.
Read more…

Brought for you by @andrea.chiarelli

1 Like

Let us know if you have any questions in the comments below! :speaking_head:

1 Like

Share your thoughts about clickjacking attacks and defenses :muscle:

1 Like

This topic was automatically closed after 58 days. New replies are no longer allowed.

There’s a mistake in the article:
Where it talks about combining the X-Frame-Options and Content-Security-Policy headers, the article says “If both headers are specified, X-Frame-Options takes priority.” This is the exact opposite of what the link to the spec says: “If a resource is delivered with a policy that includes a directive named frame-ancestors and whose disposition is enforce, then the X-Frame-Options header will be ignored.”

2 Likes

Hi @cameron_martens_rrez,
Thank you very much for noticing and reporting this mistake. :pray: I corrected the article.
BTW, welcome to the Auth0 Community! :wave:

1 Like

Andrea, thank you for this detailed writeup; I know its been a couple of years since you put it together, but it was really helpful for someone unaware of ‘clickjacking.’ Have there been any new developments on this front in the past few years, that would cause a defense to diverge significantly from what you describe here?

Hi @mmikulski,
Welcome to the Auth0 Community, and thank you for appreciating my blog post.
As far as I know, the core concepts behind clickjacking attacks and clickjacking defense are still valid. Anyway, the primary resource for updates is the OWASP website.

Hi andrea,so I tried to prevent clickjacking by using DENY option in X-Frame-Options it’s not working,then I tried with CSP that one is also not working,can you please help me with this.

Hey @kyogendranathreddy,
Are you having problems with the example application attached to the article or in your own application?
In the latter case, please make sure that the browser receives the headers correctly by inspecting the HTTP responses.