DEV Community

Tony
Tony

Posted on • Edited on

Here’s a reason why your website is not secure

If you are a website developer, you have most probably protected yourself from common attacks such as XSS, SQL, CSRF, etc.

But are you safe from a Clickjacking attack?


Try this:

1) Create a blank html file

2) Add the following code:

<style>body { margin:0; }</style>

<iframe src=”http://your-site.com" width=”100%” height=”100%” style=”border: 0"></iframe>
Enter fullscreen mode Exit fullscreen mode

Then open the html file in your browser. If your browser loads your website, congratulations (pun)! You’re susceptible to clickjacking attacks :)

But if your browser displays the following error (or similar) in your console:

Refused to display ‘https://your-site.com' in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.
Enter fullscreen mode Exit fullscreen mode

then you are [relatively] safe.


What is Clickjacking?

Clickjacking is an attack where an attacker uses an iframe to load your site and tricks a user to click on a button/link. The attacker then hijacks the clicks meant for the original server.

The above code opens your website in such a way that no one can tell the difference between your real website and the iframed version, especially if an attacker uses a [false] url similar to your domain name, e.g. faceebook.com

Most sites like Facebook, Github, Whatsapp, etc have blocked iframes page loading, i.e. you cannot load any of these pages via an iframe. YouTube only allows embedded videos.


Whether you are using Nginx, Apache server, etc., you should disable the loading of your website in an iframe by setting the x-frame-options header in your config files to DENY, e.g.

x-frame-options: DENY
Enter fullscreen mode Exit fullscreen mode

Protect yourself from Clickjacking attacks today.

You can learn more here:

https://keycdn.com/blog/x-frame-options

Top comments (0)