What is a clickjacking attack?

Clickjacking (UI redressing) is an attack where your website is embedded in an invisible iframe on an attacker-controlled page. The victim interacts with the decoy page but unknowingly triggers actions on your hidden site — such as approving a payment, changing a password, or granting OAuth permissions — without any indication that your site is involved.

How do I check my website for clickjacking vulnerabilities?

Enter your URL in the Vuln0x scanner at the top of this page. The free passive check inspects your X-Frame-Options and Content-Security-Policy headers immediately. The full scan (free after registration) also attempts cross-origin framing to confirm exploitability and tests individual pages discovered during crawling.

What is the difference between X-Frame-Options and CSP frame-ancestors?

Both prevent your page from being framed. X-Frame-Options (DENY or SAMEORIGIN) is the older header with broad support. CSP frame-ancestors is the modern replacement that supports allowlisting specific origins and is more reliably enforced. Best practice in 2026 is to set both headers: CSP frame-ancestors for precision and X-Frame-Options for older browser compatibility.

Can JavaScript frame-busters replace the X-Frame-Options header?

No. JavaScript frame-busters can be defeated by an attacker who uses the HTML5 sandbox attribute on the iframe, which blocks script execution in the framed content. HTTP headers are enforced by the browser before the page renders and cannot be bypassed by the attacker's page. Always use headers as the primary defence.

Which pages on my site need clickjacking protection?

Any page that performs a state-changing action — login, payment confirmation, password reset, settings changes, OAuth authorisation — must be protected. Static informational pages with no user actions carry lower risk. Vuln0x's full scan reports clickjacking status per URL so you can prioritise fixes for the highest-risk pages first.

Fix Clickjacking Vulnerabilities

Clickjacking — also called a UI redressing attack — tricks users into clicking on hidden or disguised interface elements by layering your website inside a transparent iframe on an attacker-controlled page. The victim believes they are interacting with a harmless page but unknowingly transfers funds, changes account settings, enables a camera, or approves a malicious OAuth scope. Vuln0x checks your website for clickjacking vulnerabilities by testing whether your HTTP headers allow framing — and if so, identifies exactly which directive is missing so you can fix it in minutes.

Scan your website free

A clickjacking attack works by placing your legitimate website in a transparent iframe positioned precisely over a decoy page. The attacker uses CSS opacity: 0 and z-index manipulation to make your site invisible to the user while still interactive. When the victim clicks what appears to be an innocent button on the decoy page — a prize claim, a video play button, a survey — they are actually clicking a button on your hidden site. The attacker controls the positioning to align your most dangerous actions (confirm payment, grant permission, delete account) with the decoy's clickable area. On mobile devices, the same technique works with touch events and swipe gestures.

Clickjacking vulnerabilities are entirely preventable with two HTTP headers. The older protection is X-Frame-Options, introduced in 2009 and supported by every browser. Setting it to DENY prevents your page from being framed by any origin; SAMEORIGIN allows framing only by pages on the same domain. X-Frame-Options has no wildcard or specific-domain allowlist capability — if you need to allow framing by specific trusted third-party domains, you must use the Content-Security-Policy header instead. The frame-ancestors directive in CSP allows precise control: frame-ancestors 'none' (equivalent to DENY) or frame-ancestors 'self' (equivalent to SAMEORIGIN) or frame-ancestors https://trusted-partner.com 'self' for a specific allowlist.

CSP frame-ancestors is the modern, preferred protection because it supports multiple allowed origins and is not vulnerable to a subtle limitation of X-Frame-Options: in some older browser implementations, X-Frame-Options headers sent in meta tags or by intermediary proxies were not consistently honoured. A Content-Security-Policy header with frame-ancestors issued from the origin server is processed by all modern browsers before any framing is attempted. If both headers are present, browsers that support CSP will use frame-ancestors and ignore X-Frame-Options. For maximum compatibility with older browsers, it is best practice to set both headers simultaneously.

Not every page on your application requires the same clickjacking protection level. Static marketing pages with no user actions might be acceptable to frame — embedding a product demo in a partner's page is a legitimate business case. The pages that absolutely must be protected are those that perform state-changing actions: login forms, password reset flows, payment confirmation pages, settings pages, and any OAuth authorisation endpoint. A clickjacking vulnerability on a payment confirmation page combined with a well-crafted decoy page can cause users to authorise financial transactions without any awareness. Vuln0x's scanner tests the pages that a crawler discovers during the scan, and the full scan report lists each URL and its frame-protection status individually.

Beyond HTTP headers, some teams implement a JavaScript frame-buster as an additional layer, although this should never be the primary defence. Frame-busters — scripts that detect when the page is loaded inside an iframe and break out or redirect — can be defeated by an attacker who uses the HTML5 sandbox attribute on the iframe element (sandbox prevents JavaScript execution in the framed content). Headers, by contrast, are enforced by the browser before the page renders and cannot be bypassed by the attacker's page. Vuln0x's clickjacking report provides environment-specific remediation examples: nginx add_header directives, Apache Header set lines, Next.js middleware configuration, Express.js helmet settings, and Django SecurityMiddleware configuration — so you can apply the fix in your specific stack without additional research.

How to check your website for Clickjacking vulnerabilities

Enter your website URL into the Vuln0x scanner above and click 'Scan free'.
Vuln0x sends an HTTP request to your URL and inspects the response headers for X-Frame-Options and Content-Security-Policy.
The scanner checks whether X-Frame-Options is set to DENY or SAMEORIGIN, and whether CSP includes a frame-ancestors directive that restricts framing.
If framing is allowed, Vuln0x confirms exploitability by attempting to embed the page in an iframe from a cross-origin test domain.
The report shows the missing header, the recommended value for your stack, and example code snippets for common web servers and frameworks.

More vulnerability scanner guides

Return to the free website vulnerability scanner or explore related vulnerability types below.

Frequently asked questions about Clickjacking

What is a clickjacking attack?: Clickjacking (UI redressing) is an attack where your website is embedded in an invisible iframe on an attacker-controlled page. The victim interacts with the decoy page but unknowingly triggers actions on your hidden site — such as approving a payment, changing a password, or granting OAuth permissions — without any indication that your site is involved.
How do I check my website for clickjacking vulnerabilities?: Enter your URL in the Vuln0x scanner at the top of this page. The free passive check inspects your X-Frame-Options and Content-Security-Policy headers immediately. The full scan (free after registration) also attempts cross-origin framing to confirm exploitability and tests individual pages discovered during crawling.
What is the difference between X-Frame-Options and CSP frame-ancestors?: Both prevent your page from being framed. X-Frame-Options (DENY or SAMEORIGIN) is the older header with broad support. CSP frame-ancestors is the modern replacement that supports allowlisting specific origins and is more reliably enforced. Best practice in 2026 is to set both headers: CSP frame-ancestors for precision and X-Frame-Options for older browser compatibility.
Can JavaScript frame-busters replace the X-Frame-Options header?: No. JavaScript frame-busters can be defeated by an attacker who uses the HTML5 sandbox attribute on the iframe, which blocks script execution in the framed content. HTTP headers are enforced by the browser before the page renders and cannot be bypassed by the attacker's page. Always use headers as the primary defence.
Which pages on my site need clickjacking protection?: Any page that performs a state-changing action — login, payment confirmation, password reset, settings changes, OAuth authorisation — must be protected. Static informational pages with no user actions carry lower risk. Vuln0x's full scan reports clickjacking status per URL so you can prioritise fixes for the highest-risk pages first.

Ready to test your website for Clickjacking vulnerabilities?

Start free — 50 credits included, no credit card required. Results in under 60 seconds.

Scan your website free