Clickjacking attacks misguide the user into clicking on invisible pages that are present on dummy pages that trigger certain actions that the user didn't intend to perform.
HTML has options to disable elements that are responsible for such attacks. This HTML response header, known as, X-Frame-Options either disallows the browser to render a page in the X-Frame elements or blocks requests that are not made from the same origin, using the Same Origin Policy.
The HTML elements vulnerable to clickjacking attacks include:
<frame><iframe><embed><object>The two options that the user can set with X-Frame-Options are as follows:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
DENY: This prevents the browser from rendering any frames at all in the vulnerable HTML elements as mentioned above.SAMEORIGIN: The frame tags can still be used as long as the site of the frame is the same as the one rendering the frame.Note: Another option that was deprecated later on was
ALLOW-FROM-uri, which allowed requests from the specifieduriand blocked requests not made from the whitelisted ones. This option no longer works in modern browsers.
We can use the HTML meta tag along with it's http-equiv attribute to set this header. This is demonstrated below:
<meta http-equiv="X-Frame-Options" content="sameorigin" />
Free Resources