Learn

Clickjacking protection (X-Frame-Options, frame-ancestors)

An invisible iframe over your login page is all an attacker needs. Two headers stop it cold, and Barrion tells you when either one is missing or too loose.

What it is

Clickjacking happens when your site is embedded in an invisible iframe so users click the attacker's UI instead of yours. X-Frame-Options and CSP frame-ancestors tell the browser not to allow your page to be framed (or only by allowed origins).

Why it matters

Without frame protection, attackers can overlay your login or payment UI and steal clicks or credentials. DENY or sameorigin (or frame-ancestors 'none'/'self') prevents your content from being framed by other sites.

How Barrion checks it

Barrion checks for X-Frame-Options and/or Content-Security-Policy frame-ancestors on your responses. We report missing or weak values (e.g. overly permissive frame-ancestors) and link to fix guides. Checks are passive header inspection.

Configuration examples

Nginx: deny framing via XFO and CSP
add_header X-Frame-Options "DENY" always;
add_header Content-Security-Policy "frame-ancestors 'none'" always;

Verify it

curl -sI https://example.com | grep -iE 'x-frame-options|frame-ancestors'
Run this check →Fix guide

Related