Savvycal (Online meetings)
Zendesk (Helpdesk and Chat)


We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this website.

Please see our statement on Data Privacy.


Home   Blog  

Clickjacking - a subtle yet significant threat

What is Clickjacking?

Most threats like phishing and malware are well known and understood by users, others like "clickjacking" remain less familiar. The term "clickjacking" is a compound of "click" and "hijacking". It refers to a malicious technique where attackers trick users into clicking on something different from what they perceive. In essence, an attacker can "hijack" clicks and make users perform unintended actions.

How does clickjacking work?

Clickjacking is typically accomplished using a combination of embedded content and a transparent layer. This is a simplified breakdown of the process:

Page with an embedded page

Attackers create a page and embed a legitimate web page, e.g. a login to a service, by using an IFRAME.

Invisible frame

The attackers arrange an invisible (transparent) frame on top of the IFRAME with the legitimate page. They also place invisible controls on that frame at the same position as the controls of the legitimate page.

Deceptive prompt

The attackers now lure the user to open the page in a browser, e.g. via a phishing email.

Unintended action

When the user attempts to interact with what they see, they are unknowingly interacting with the hidden layer. This causes them to perform actions they do not intend, like downloading malware, submitting credentials, or making online transactions.

Why is clickjacking dangerous?

Successful clickjacking attacks may have severe consequences:

How to Protect Yourself from Clickjacking

As a user:

As a webmaster: implement:

  1. X-Frame-Options HTTP response header for all your websites
  2. Content-Security-Policy frame-ancestors directive

The second option obsoletes the first in all modern browsers.


Clickjacking is a subtle yet significant threat. By understanding its mechanisms and by staying updated with preventive measures, users can navigate the web in a secure manner. Webmasters should implement the technical measures described in this post.


Google Safe Browsing
MDN (Mozilla Developer Network): X-Frame-Options
MDN (Mozilla Developer Network): Content-Security-Policy
Can I use: HTTP header: Content-Security-Policy: frame-ancestors

Created: 2023-10-05 11:29:11

Contact us
Share this page

Terms of use 
Data Privacy 
Coordinated Disclosure 
Subscribe to our newsletter to learn more about our work