What it is
Clickjacking happens when your site is embedded in an invisible iframe on another site; users think they're clicking your UI but are actually clicking the attacker's. X-Frame-Options or CSP frame-ancestors tells the browser not to allow your page to be framed (or only by specific origins).
Why it matters
Without frame protection, an attacker can overlay your login or payment UI with transparent elements and trick users into clicking. DENY or sameorigin (or frame-ancestors 'none' / 'self') prevents your content from being framed by other sites.
How it is exploited
The attacker hosts an iframe of your /transfer page positioned under a fake button. The user clicks the button thinking it is a captcha; the click actually submits a transfer with their existing session cookie.
How to fix it
- Choose X-Frame-Options or CSP. X-Frame-Options: DENY (no framing) or SAMEORIGIN (only your site). CSP frame-ancestors is more flexible (e.g. allow specific domains) and is the modern approach; you can set both for compatibility.
- Add the header. Send X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN on every response. Alternatively set Content-Security-Policy with frame-ancestors 'none' or frame-ancestors 'self'.
- Verify. Run a clickjacking protection check or Barrion scan to confirm the header is present and your site is not framable by unknown origins.
Examples by platform
Nginx
add_header X-Frame-Options "DENY" always;Apache
Header always set X-Frame-Options "DENY"How to verify the fix
Confirm the X-Frame-Options header is present in HTTPS responses:
curl -sI https://example.com | grep -i x-frame-options