Forem

Tony
Tony

Posted on • Edited on

1

Here’s a reason why your website is not secure

If you are a website developer, you have most probably protected yourself from common attacks such as XSS, SQL, CSRF, etc.

But are you safe from a Clickjacking attack?


Try this:

1) Create a blank html file

2) Add the following code:

<style>body { margin:0; }</style>

<iframe src=”http://your-site.com" width=”100%” height=”100%” style=”border: 0"></iframe>
Enter fullscreen mode Exit fullscreen mode

Then open the html file in your browser. If your browser loads your website, congratulations (pun)! You’re susceptible to clickjacking attacks :)

But if your browser displays the following error (or similar) in your console:

Refused to display ‘https://your-site.com' in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.
Enter fullscreen mode Exit fullscreen mode

then you are [relatively] safe.


What is Clickjacking?

Clickjacking is an attack where an attacker uses an iframe to load your site and tricks a user to click on a button/link. The attacker then hijacks the clicks meant for the original server.

The above code opens your website in such a way that no one can tell the difference between your real website and the iframed version, especially if an attacker uses a [false] url similar to your domain name, e.g. faceebook.com

Most sites like Facebook, Github, Whatsapp, etc have blocked iframes page loading, i.e. you cannot load any of these pages via an iframe. YouTube only allows embedded videos.


Whether you are using Nginx, Apache server, etc., you should disable the loading of your website in an iframe by setting the x-frame-options header in your config files to DENY, e.g.

x-frame-options: DENY
Enter fullscreen mode Exit fullscreen mode

Protect yourself from Clickjacking attacks today.

You can learn more here:

https://keycdn.com/blog/x-frame-options

Top comments (0)

👋 Kindness is contagious

Immerse yourself in a wealth of knowledge with this piece, supported by the inclusive DEV Community—every developer, no matter where they are in their journey, is invited to contribute to our collective wisdom.

A simple “thank you” goes a long way—express your gratitude below in the comments!

Gathering insights enriches our journey on DEV and fortifies our community ties. Did you find this article valuable? Taking a moment to thank the author can have a significant impact.

Okay