What is clickjacking?
Last reviewed June 2, 2026
Clickjacking is a user interface redress attack (CWE-1021) where an attacker overlays or frames a legitimate site invisibly so victims click controls they cannot see. The user believes they are interacting with the attacker's page, but their clicks land on the framed application, triggering unintended actions. It is prevented by stopping the site from being framed using X-Frame-Options or a Content Security Policy frame-ancestors directive.
What clickjacking is
Clickjacking, also known as a user interface redress attack, tricks a user into clicking something different from what they perceive. The attacker loads a target application inside a frame on a page they control and uses styling to make that frame invisible or to disguise it as harmless content.
Because the framed application is the real, authenticated site, the victim's clicks are genuine interactions with it. The attacker simply controls where the visible decoy sits so that an innocent looking click actually activates a sensitive control underneath.
How clickjacking works
- The attacker creates a page that loads the target site in a transparent or hidden iframe.
- A visible decoy, such as a button or a game element, is positioned exactly over a sensitive control in the framed site.
- The victim, who may already be logged in to the target, clicks the decoy.
- The click passes through to the framed control, performing an action such as changing a setting, confirming a transfer, or granting a permission.
Impact of clickjacking
Clickjacking lets an attacker drive actions in the victim's authenticated session without stealing credentials. The severity depends on what a single click can accomplish in the target application.
- Unintended state changing actions such as toggling settings or confirming transactions.
- Granting of permissions, including OAuth consent or camera and microphone access.
- Account changes such as deleting data or adding an attacker-controlled recovery method.
- Amplification of related attacks by combining framing with social engineering.
How to prevent clickjacking
- Set a Content Security Policy with a frame-ancestors directive that lists only trusted origins allowed to frame the site, or none to forbid framing entirely.
- Send the X-Frame-Options header set to DENY or SAMEORIGIN to support older browsers that do not honor frame-ancestors.
- Use SameSite cookie attributes so that cross-site framed requests do not carry the user's session, reducing what a hijacked click can do.
- Require explicit re-confirmation or re-authentication for high impact actions so a single framed click is not enough.
- Prefer frame-ancestors as the primary defense, since X-Frame-Options is the legacy mechanism and is superseded by Content Security Policy.
Keep exploring
- CWE-1021: Improper Restriction of Rendered UI LayersThe Common Weakness Enumeration entry for clickjacking.
- What is cross-site request forgery?A related attack on a user's authenticated session.
- What is cross-site scripting?Another client-side attack that targets the browser.
- What is the OWASP Top 10?Context for web application risk categories.
- What is a CWE?How weaknesses like CWE-1021 are catalogued.
- CWE directoryBrowse the full Common Weakness Enumeration.
Frequently asked questions
- What is the difference between X-Frame-Options and frame-ancestors?
- X-Frame-Options is an older response header with simple values like DENY and SAMEORIGIN. The Content Security Policy frame-ancestors directive is the modern replacement, allows listing multiple trusted origins, and is honored by current browsers. Use frame-ancestors as the primary control.
- How is clickjacking different from cross-site request forgery?
- Cross-site request forgery forges a request directly from the victim's browser. Clickjacking instead manipulates the victim into clicking a real control on a framed page. Both can perform actions in an authenticated session, but the mechanism and the user interaction differ.
- Do SameSite cookies fully prevent clickjacking?
- No. SameSite attributes reduce the impact by limiting whether session cookies accompany framed cross-site requests, but the primary fix is to prevent the page from being framed at all using frame-ancestors or X-Frame-Options.
- Why can clickjacking succeed even with strong passwords?
- Clickjacking does not steal credentials. It abuses an already authenticated session by redirecting genuine clicks, so password strength and most multi-factor methods do not stop it. Framing controls are the relevant defense.
