Skip to main content

Clickjacking Explained: What It Is and How to Prevent It

By Joseph Abear ·

Clickjacking is an attack that layers a hidden or disguised element over a legitimate page so users click something they did not intend, such as an invisible button or a transparent iframe. The primary defenses are a Content-Security-Policy frame-ancestors directive, the X-Frame-Options header, and SameSite cookies. Together these stop your pages from being framed by malicious sites.

TL;DR: Quick answer

  • Clickjacking overlays hidden elements so a user's click is hijacked toward an action they did not intend.
  • The strongest modern defense is the Content-Security-Policy frame-ancestors directive, which controls who can frame your site.
  • X-Frame-Options is the older header that does a similar job and is still useful for legacy coverage.
  • SameSite cookies and framebusting add further protection against cross-site framing.

What is clickjacking and how does it work?

In a clickjacking attack, an attacker loads your real page inside an invisible or disguised iframe on a page they control. They position deceptive content so that when the victim thinks they are clicking a harmless button, they are actually clicking a control on your framed page, for example confirming a transfer, changing a setting, or granting a permission. The user sees one thing and clicks another.

How do you prevent clickjacking?

  • Content-Security-Policy: frame-ancestors. The modern, preferred control. Set it to specify exactly which origins, if any, may frame your pages. Use frame-ancestors 'none' to block all framing or 'self' to allow only your own site.
  • X-Frame-Options. The older header, with values like DENY and SAMEORIGIN. It overlaps with frame-ancestors and remains useful for older browsers.
  • SameSite cookies. Reduce the risk of cross-site requests being carried along inside a frame.
  • Framebusting scripts. A secondary measure for environments where headers are hard to set.

Where both are available, frame-ancestors takes precedence over X-Frame-Options, so set the CSP directive and keep the legacy header for coverage.

Why does clickjacking matter for healthcare sites?

If a patient portal, scheduling tool, or account page can be framed, an attacker could trick a logged-in user into performing sensitive actions. For sites that handle protected health information, that is both a security risk and a potential compliance problem. Anti-framing headers are a low-cost control that should be part of a hardened configuration.

Frequently asked questions

How do I prevent clickjacking?

Set a Content-Security-Policy frame-ancestors directive, add X-Frame-Options for legacy browsers, and use SameSite cookies. Block framing entirely unless you have a specific need to allow it.

What is the difference between X-Frame-Options and frame-ancestors?

X-Frame-Options is the older header; frame-ancestors is the modern CSP directive that is more flexible and takes precedence when both are present.

Is clickjacking still a threat?

Yes. Any site that can be framed and has clickable sensitive actions remains a target, which is why anti-framing headers are standard hardening.

Where to go from here

Anti-framing headers are one layer of a hardened, healthcare-ready setup. See our key security measures for HIPAA-compliant hosting.

Sources

← Back to all posts