Here’s a reason why your website is not secure

Originally published on Dev.

If you are a website developer, you have most probably protected yourself from common attacks such as XSS, SQL, CSRF, etc.

But are you safe from a Clickjacking attack?

Try this:

1. Create a blank HTML file.

2. Add the following code:

<style>body { margin:0; }</style>

<iframe src=”http://your-site.com" width=”100%” height=”100%” style=”border: 0"></iframe>

Then open the HTML file in your browser. If your browser loads your website, "congratulations"! You’re susceptible to clickjacking attacks.

However, if your browser displays the following error (or similar) in your console:

Refused to display ‘https://your-site.com' in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.

then you are [relatively] safe.

What is Clickjacking?

Clickjacking is an attack where an attacker uses an iframe to load your site and tricks a user to click on a button/link. The attacker then hijacks the clicks meant for the original server.

The above code opens your website in such a way that no one can tell the difference between your real website and the iframed version, especially if an attacker uses a URL similar to your domain name, e.g. faceebook.com

Most sites, e.g. Facebook, Github, etc have blocked page loading via iframes, i.e. you cannot load any of these pages via an iframe. YouTube only allows embedded videos.

How to protect yourself from clickjacking

Whether you are using Nginx, Apache server, etc., you should disable the loading of your website in an iframe by setting the x-frame-options header in your config files to DENY, e.g.:

x-frame-options: DENY

Protect yourself from Clickjacking attacks today.

You can learn more here:

https://keycdn.com/blog/x-frame-options