Skip to content

Add a couple of headings in the clickjacking guide #42981

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
wbamberg merged 3 commits into from
Feb 2, 2026
Merged

Add a couple of headings in the clickjacking guide #42981

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
408ea9a
Add a couple of headings in the clickjacking guide
wbamberg Jan 30, 2026
134a1d9
Review feedback
wbamberg Feb 2, 2026
3bb62d5
Update files/en-us/web/security/attacks/clickjacking/index.md
wbamberg Feb 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 7 additions & 3 deletions files/en-us/web/security/attacks/clickjacking/index.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,17 +50,21 @@ If the user tries to click "Click here for a free kitten!", they will actually b

## Clickjacking defenses

Clickjacking depends on the target website being embedded in the attacker's decoy site inside an `<iframe>`. The main defense is to disallow or at least control this capability.
### Restricting embedding

Clickjacking depends on the target website being embedded in the attacker's decoy site inside an `<iframe>`. The main defense is to disallow or at least restrict this capability.

There are two relevant tools here:

- The [`frame-ancestors` directive](/en-US/docs/Web/HTTP/Guides/CSP#clickjacking_protection) in a [content security policy](/en-US/docs/Web/HTTP/Guides/CSP)
- The {{httpheader("X-Frame-Options")}} response header.
- The [`frame-ancestors` directive](/en-US/docs/Web/HTTP/Guides/CSP#clickjacking_protection) in a [content security policy](/en-US/docs/Web/HTTP/Guides/CSP). With this directive, you can control exactly which other documents are allowed to embed yours.
- The {{httpheader("X-Frame-Options")}} response header. This header is less fine-grained: it just enables you to disable embedding entirely, or allow it only for [same-origin](/en-US/docs/Web/Security/Defenses/Same-origin_policy) documents.

The `frame-ancestors` directive is a replacement for `X-Frame-Options`. By setting `X-Frame-Options` as well as `frame-ancestors`, you can prevent embedding in browsers that don't support `frame-ancestors`. As [browser support for `frame-ancestors` is very good](/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/frame-ancestors#browser_compatibility), this is not a major concern.

If `frame-ancestors` and `X-Frame-Options` are both set, then browsers that support `frame-ancestors` will ignore `X-Frame-Options`.

### Restricting cross-site cookies

As an additional partial mitigation, sites should set the [`SameSite`](/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#samesitesamesite-value) cookie attribute for session cookies to `Lax` or `Strict`. Requests from embedded contexts such as `<iframe>` elements that are not {{glossary("Site", "same-site")}} with the top-level document will not include these cookies, and the server will therefore not treat the request as coming from a logged-in user.

## Defense summary checklist
Expand Down