<script type="application/ld+json"> { "@context":"https://schema.org", "@type":"FAQPage", "mainEntity":[ { "@type":"Question", "name":"What’s the difference between clickjacking and UI redressing?", "acceptedAnswer":{ "@type":"Answer", "text":"Clickjacking is a specific attack that hijacks a user’s click on a hidden target. UI redressing is the broader set of visual tricks that mislead users, and can include more than just clicks." } }, { "@type":"Question", "name":"How does Content Security Policy (CSP) help prevent clickjacking?", "acceptedAnswer":{ "@type":"Answer", "text":"Define a strict frame-ancestors allowlist in CSP (e.g., 'self' and approved partners) to block hostile framing. Start in Report-Only to test, then enforce across sensitive routes." } }, { "@type":"Question", "name":"Which browser features or headers stop clickjacking?", "acceptedAnswer":{ "@type":"Answer", "text":"Use CSP frame-ancestors as the primary control with X-Frame-Options as a legacy fallback. Complement with Permissions-Policy to disable unused powerful features." } }, { "@type":"Question", "name":"Can clickjacking steal data or is it only a nuisance?", "acceptedAnswer":{ "@type":"Answer", "text":"Same-origin rules prevent reading framed content directly, but clickjacking can still trigger impactful actions (e.g., transfers, permission grants). Combined with flaws like XSS or weak CSRF, the risk escalates." } }, { "@type":"Question", "name":"How do modern frameworks reduce clickjacking risks?", "acceptedAnswer":{ "@type":"Answer", "text":"Most provide middleware or helpers to set CSP and X-Frame-Options. You still need to review routes and embeds and configure precise allowlists for full coverage." } } ] } </script>
products
Back
products
A stack of blue books with the words cdn 1 and cdn 2.
Virtual Edge
Full Control. One Platfrom.
Controls all your CDN with IO river.
An image of a blue globe with a line going around it.
Virtual CDN
SIngle CDN. Built by Many.
One endpoint for all.
Solutions
Back
By Industry
Streaming
one line description for the
Ad
one line description for the
Media Publishers
one line description for the
Gaming
one line description for the
by need
Cost Reduction
one line description for the
Redundancy & Availability
one line description for the
CDN Migration
one line description for the
Unified Security Solution
one line description for the
Resources
Back
Resources
Resources Library
Case Studies
Blogs
Documentation
queries
Questions
Glossary
FAQ
Company
Back
About company
About Us
Events
Customers Stories
Careers
SUpport
Contact Us
Security passport
News
PricingPartners
Glossary
Clickjacking

Clickjacking

Rostyslav Pidgornyi

Clickjacking is a sneaky cyberattack that tricks you into clicking on something without even realizing it. This kind of attack takes advantage of how web pages are designed, often hiding harmful actions behind something that looks safe.

Clickjacking isn’t just a threat for developers and website owners; it’s something that affects everyone. But with the right tools, techniques, and a bit of caution, you can stay safe easily. 

What is Clickjacking?

At its core, clickjacking is a type of online trickery. Hackers hide malicious actions inside legitimate-looking buttons, links, or web elements. For example, you might think you're clicking a "Play" button on a video, but in reality, you're unknowingly liking a post, sharing personal data, or even transferring money.

This attack often uses iframes, a way to embed one web page within another. The hacker hides their harmful iframe under a button or image you trust. When you click on it, you're not interacting with what you see but with the invisible, malicious content underneath.

How Clickjacking Attacks Work

To really get the concept of clickjacking, imagine a magician performing a sleight-of-hand trick. You see one thing, but something completely different happens. Here's how it usually plays out:

  1. A Legitimate Web Page is Targeted: Hackers identify a trusted website or service to exploit.
  2. Invisible Layers are Added: The hacker embeds malicious content in an invisible frame over the trusted content.
  3. You are Tricked into Clicking: You click a button or link, thinking it’s harmless, but you're actually triggering the hidden action.

These attacks can have serious consequences, such as granting permissions to apps, sharing confidential information, or even enabling a webcam without your knowledge.

Types of Clickjacking (Variants & Patterns)

Click jacking appears in several patterns. A clever clickjacker places hidden or misaligned elements over legitimate controls. 

Robust clickjacking protection focuses on blocking framing, hardening sensitive flows, and limiting powerful browser features to prevent clickjacking in all its forms.

1) Likejacking:

Tricks users into liking, following, or sharing by overlaying a hidden social button.

  • Targets: social widgets, reputation actions.
  • Mitigation: Content-Security-Policy with frame-ancestors allowlist, X-Frame-Options fallback, review any third‑party embeds, add confirm clicks for high‑impact actions.

2) Cursorjacking:

Manipulates perceived pointer position using CSS or visual decoys so clicks land on hidden controls.

  • Targets: delete, purchase, or settings buttons.
  • Mitigation: deny framing, avoid pointer‑offset illusions in your own UI, show clear focus outlines, log unusual click patterns.

3) Touchjacking (mobile):
Overlays tap targets on phones and tablets so a tap authorizes something unintended.

  • Targets: pay, subscribe, or permission prompts.
  • Mitigation: block framing, add two‑step confirms for risky taps, detect obscured touches where supported, prefer large visible hit areas.

4) Permission jacking:

Coaxes users to grant camera, microphone, notifications, or geolocation by hiding the real prompt.

  • Targets: browser permission dialogs and WebRTC flows.
  • Mitigation: deny framing, set Permissions-Policy to disallow unused capabilities, require in‑context user intent before requesting permissions.

5) Drag‑and‑drop jacking:

Forces a drag or drop onto a hidden area to upload files or move money between accounts.

  • Targets: file upload zones, financial transfer widgets.
  • Mitigation: deny framing, require visible confirmation after drop, disable drop on sensitive regions unless the element has focus.

6) OAuth consent jacking:

Frames an identity provider or consent screen so a user unknowingly grants scopes.

  • Targets: SSO and API access approvals.
  • Mitigation: identity provider sets strict frame-ancestors, relying party adds post‑consent verification, highlight requested scopes prominently.

7) UI flow jacking

Stacks several hidden steps so rapid clicks complete a transaction or change security settings.

  • Targets: checkout, password or MFA changes.
  • Mitigation: re‑authenticate for sensitive steps, add explicit summaries with a final confirm, rate limit rapid multi‑click sequences.

8) Combined clickjacking and CSRF

Uses framing to guide a click that submits a CSRF‑susceptible action.

  • Targets: legacy endpoints without CSRF tokens.
  • Mitigation: deny framing and enforce CSRF protections, separate write actions from simple GETs, apply SameSite cookies as a secondary control.

Why Clickjacking is a Serious Vulnerability

Clickjacking is dangerous because it takes advantage of your trust. You believe you're interacting with a safe website, but the truth is far from it. This clickjacking vulnerability is often exploited to:

  • Steal login credentials.
  • Hijack social media accounts.
  • Trigger harmful downloads.
  • Manipulate financial transactions.

What makes it even scarier is that you often won't realize you've been a victim until it's too late.

How to Test for Clickjacking

You might wonder how to find out if a website is vulnerable to clickjacking. A clickjacking test can help. Security experts use tools and methods to see if a website allows malicious content to be embedded within it.

  1. Frame Testing: Try embedding the website in an iframe on another page. If it works, the site could be vulnerable.
  2. X-Frame-Options Header Check: Use browser developer tools to see if the site has the X-Frame-Options header set to "DENY" or "SAMEORIGIN." If not, it’s a red flag.
  3. Third-Party Tools: Security scanners and penetration testing tools often include clickjacking tests to detect vulnerabilities.

If you’re a website owner, performing these tests is crucial to ensure your visitors' safety.

Preventing Clickjacking Attacks

The good news is that preventing clickjacking isn’t overly complicated. Here’s how you can protect yourself and your website:

  1. Use the X-Frame-Options Header:

    This is the simplest and most effective way to block clickjacking. Adding this header to your website tells browsers not to allow your content to be displayed in an iframe.some text
    • X-Frame-Options: DENY prevents your site from being displayed in any iframe.
    • X-Frame-Options: SAMEORIGIN allows iframes only if they are on the same domain.
  2. Content Security Policy (CSP):

    Use CSP headers to control how your website’s resources are loaded. A CSP with a frame-ancestors directive can block embedding your site in unauthorized iframes.

    Example:

    Content-Security-Policy: frame-ancestors 'self';
  3. Frame Busting Scripts:

    These JavaScript snippets can prevent your site from being loaded in an iframe. For example:

    if (window.top !== window.self) {
    window.top.location = window.self.location;
    }
  4. Educate Users:

    Encourage users to double-check links and only interact with trusted websites. Awareness is a powerful defense against clickjacking.

Real-World Examples of Clickjacking

Here’s some historical evidence of clickjacking affecting users:

  • Twitter Clickjacking Incident (2009): In this attack, users were tricked into retweeting a malicious link. The attacker used a hidden iframe overlaid on a "Retweet" button, causing users to unknowingly share the malicious content with their followers.
  • Facebook Likejacking Worm (2010): Attackers exploited Facebook's "Like" button by embedding it in invisible frames on malicious websites. Users who clicked seemingly harmless buttons inadvertently "liked" a page, spreading the malicious link across their network.
  • PayPal Clickjacking Vulnerability (2022): PayPal's money transfer service was found to have a vulnerability that could be exploited through clickjacking. An attacker could trick users into unknowingly transferring funds by overlaying invisible frames on a malicious webpage.

What Clickjacking Code Looks Like

To carry out a clickjacking attack, hackers often use simple HTML and CSS. Here’s an example of what their code might look like:

<div style="position:relative;">
	<iframe src="https://target-website.com" style="opacity:0; position:absolute; z-index:10;"></iframe>
	<button style="z-index:5;">Click Me!</button>
</div>

In this setup, the iframe covers the button, but it’s invisible. When you click the button, you're interacting with the iframe instead.

Conclusion

Clickjacking is a deceptive technique that can lead to serious security breaches, including unauthorized actions and data theft. The only way of going around is to actively look for instances, and using preventive measures like X-Frame-Options headers, Content Security Policy directives, and frame-busting scripts.

FAQs

What is the difference between clickjacking and UI redressing?

Clickjacking is a specific attack that hijacks a user’s click on a hidden target. UI redressing is the broader technique of visually manipulating an interface so users act against their intent. All clickjacking relies on UI redressing, but UI redressing can include non‑click interactions such as taps or drags.

How can Content Security Policy (CSP) help in preventing clickjacking attacks?

CSP blocks hostile framing with the frame-ancestors directive. Set a tight allowlist such as frame-ancestors 'self' https://partner.example.com. Test with Report‑Only first, then enforce. Apply the policy on every sensitive response, not just the homepage, to prevent clickjacking consistently across your app.

Are there any browser features or header configurations that stop clickjacking?

Yes. Use CSP frame-ancestors as the primary control and X-Frame-Options as a legacy fallback. Add Permissions-Policy to disable powerful features you do not use. Frame‑busting JavaScript is brittle, so prefer headers managed at the server, proxy, or CDN for dependable coverage.

Can clickjacking be used to steal sensitive data, or is it just a nuisance?

Same‑origin policy prevents direct reading of framed content, so pure clickjacking cannot exfiltrate pixels or DOM. It can still trigger high‑impact state changes such as transfers, permission grants, or account modifications. Combined with other flaws like XSS or weak CSRF, it can escalate to serious data or account compromise.

How do modern frameworks mitigate clickjacking risks in web apps?

Most frameworks ship secure defaults or middleware that set anti‑framing headers. Examples include helpers for CSP and X-Frame-Options, plus template tags for critical pages. Coverage is not automatic for all routes and static assets. Review partner embed needs, then configure a precise allowlist to prevent clickjacking end to end.

Published on:
October 20, 2025
No items found.

Related Glossary

See All Terms
No items found.
This is some text inside of a div block.
No items found.
100 Causeway St.,
Boston, Massachusetts,
02114 United States
Book a Demo
Solutions
Company
Resources
Products
Legal
Products
VCDNVirtual Edge
Solutions
Redundancy for
Dynamic TrafficCost ReductionMigrationCost OptimizationMigration
Company
About UsNewsroomPartnersContact Us
Resources
BlogGlossaryResources LibraryCustomer Success StoriesFAQEventsQuestionsAPI Documentation
Legal
Privacy PolicyTerms of UseCookies PolicySecurity PassportDPAService Level Agreement
Derech Menachem Begin 127,
Azrieli Center (Triangle Tower),
Tel Aviv - Yaffo, Israel
© All Rights Reserved to IO River LTD 2022 — 2025