Skip to content

How to Fix Clickjacking Vulnerabilities

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix Clickjacking Vulnerabilities. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

Clickjacking vulnerabilities occur when an attacker embeds your web page in an invisible iframe on their site and tricks users into clicking elements on your page, performing actions they did not intend.

Quick Fix

Wrong

response.setHeader("X-Frame-Options", "ALLOWALL");
// or no X-Frame-Options header at all

Your site can be embedded in any iframe, enabling Clickjacking Attacks.

response.setHeader("X-Frame-Options", "DENY");

Fix with Content-Security-Policy

response.setHeader("Content-Security-Policy",
    "frame-ancestors "none"");

Fix for same-origin framing

response.setHeader("X-Frame-Options", "SAMEORIGIN");
// or
response.setHeader("Content-Security-Policy",
    "frame-ancestors "self"");

Fix with JavaScript frame busting

if (top.location != self.location) {
    top.location = self.location;
}

Note: JavaScript frame busting can be bypassed. Always use headers as the primary defense.

Fix for specific origins

response.setHeader("Content-Security-Policy",
    "frame-ancestors "self" https://trusted-app.com");

Prevention

  • Set X-Frame-Options: DENY or SAMEORIGIN on all pages.
  • Use Content-Security-Policy: frame-ancestors as the modern alternative.
  • Add frame-busting JavaScript as defense-in-depth (but do not rely on it alone).
  • For pages that must be framable (widgets), restrict to specific domains.
  • Test with the frametrap browser extension or OWASP ZAP.

DodaTech Tools

Doda Browser's clickjacking scanner checks for missing or misconfigured frame protection headers. DodaZIP archives security header configurations. Durga Antivirus Pro detects clickjacking attempts in real-time browser traffic.

Common Mistakes with defense

  1. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
  2. Using return to exit a function early instead of wrapping a pure value in the monad
  3. Mixing let bindings with <- bindings in do notation, producing type errors

These mistakes appear frequently in real-world CLICKJACKING code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

What is the difference between X-Frame-Options and CSP frame-ancestors?

X-Frame-Options is the older header with limited options (DENY, SAMEORIGIN, ALLOW-FROM). CSP frame-ancestors is the modern replacement, supporting multiple origins and wildcards. CSP has broader browser support for modern use cases.

Can clickjacking bypass X-Frame-Options?

Some techniques bypass X-Frame-Options, including using allow-top-navigation in HTML5 sandbox attributes and older browser bugs. CSP frame-ancestors is more robust. Use both headers for maximum protection.

Is clickjacking still a relevant vulnerability in modern browsers?

Yes, clickjacking remains relevant, especially for sites that embed content from other pages or provide social media widgets. Many high-profile sites have been vulnerable to clickjacking for actions like account deletion or financial transfers.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro