Introduction
Web applications face various security threats, and one of the less obvious but dangerous attacks is Clickjacking. In a clickjacking attack, users are tricked into clicking something different from what they believe they are clicking.
Attackers use hidden or transparent elements to manipulate user actions, potentially leading to unauthorized transactions, account changes, or sensitive data exposure.
In this article, you'll learn what clickjacking is, how it works, and the best techniques to protect your applications.
What Is Clickjacking?
Clickjacking is a security attack where a malicious website tricks users into clicking hidden elements.
For example:
User Sees:
"Play Video" Button
Actually Clicks:
"Transfer Money" Button
The victim believes they are performing one action while unknowingly executing another.
This attack is also known as a UI Redressing Attack.
How Clickjacking Works
A common attack scenario:
Attacker creates a malicious webpage.
The target website is loaded inside a hidden iframe.
Fake content is displayed above the iframe.
The user clicks a visible button.
The click is redirected to the hidden website.
Workflow:
Victim Visits Malicious Site
↓
Hidden iframe Loads Target Site
↓
User Clicks Fake Button
↓
Action Performed on Target Site
The user remains unaware of the actual action.
Real-World Example
Imagine a banking application.
An attacker embeds the bank's transfer page inside an invisible iframe.
The victim sees:
Click Here To Win A Prize
When clicked:
Hidden Bank Transfer Button
↓
Money Transfer Triggered
If the victim is already logged in, the action may succeed.
Common Targets
Clickjacking attacks often target:
Banking applications
Social media platforms
E-commerce websites
Admin dashboards
Online payment systems
Any website that performs important actions through buttons or links can be a target.
Why Clickjacking Is Dangerous
Clickjacking can lead to:
Since the user performs the action themselves, detection can be difficult.
Preventing Clickjacking with X-Frame-Options
One of the most effective protections is the X-Frame-Options header.
Example:
X-Frame-Options: DENY
This prevents the website from being loaded inside an iframe.
Alternative:
X-Frame-Options: SAMEORIGIN
This allows framing only from the same domain.
Using Content Security Policy (CSP)
Modern applications should use Content Security Policy.
Example:
Content-Security-Policy:
frame-ancestors 'self';
This restricts which websites can embed your pages.
Benefits:
ASP.NET Core Example
Add security headers in middleware.
app.Use(async (context, next) =>
{
context.Response.Headers.Add(
"X-Frame-Options",
"DENY");
await next();
});
This prevents iframe embedding.
Additional Security Measures
Besides security headers:
Use multi-factor authentication.
Protect sensitive actions with confirmation dialogs.
Implement CSRF protection.
Monitor suspicious activity.
Keep frameworks updated.
Layered security reduces overall risk.
Common Mistakes
Not Setting Security Headers
Without protection:
Website
↓
Can Be Embedded Anywhere
This increases exposure to clickjacking attacks.
Relying Only on Client-Side Protection
JavaScript frame-busting techniques can help but should not replace security headers.
Ignoring Legacy Pages
Older admin panels and internal applications are common attack targets.
Review all application pages regularly.
Best Practices
To prevent clickjacking:
Use X-Frame-Options.
Implement CSP frame-ancestors.
Protect critical actions.
Enable MFA where possible.
Conduct regular security testing.
Review third-party integrations.
These practices significantly reduce risk.
Conclusion
Clickjacking is a deceptive attack that manipulates user actions by hiding malicious functionality behind seemingly harmless content. Although the attack is simple, its impact can be significant, especially for banking, e-commerce, and administrative applications.
By implementing security headers such as X-Frame-Options and Content Security Policy, developers can effectively prevent websites from being embedded inside malicious iframes. Combined with other security measures, these protections help create safer web applications and better protect users from UI-based attacks.