Clickjacking
Clickjacking embeds a target site in a transparent iframe overlaid on a malicious page. The attacker positions invisible buttons over the victim's interface, tricking users into clicking on actions they didn't intend — like authorizing an app, making a purchase, or liking a post.
How it works
The attacker creates a page with a hidden iframe pointing to your site. CSS makes the iframe transparent and positioned over a fake button. The user thinks they're clicking the fake button, but actually clicking a real button on your site — like "Transfer funds" or "Authorize app".
The headers that prevent it
Both of these tell browsers not to allow your page to be loaded inside an iframe on untrusted origins:
X-Frame-Options (older, simpler)
X-Frame-Options: SAMEORIGIN # Only allow framing by same origin X-Frame-Options: DENY # Block all framing
CSP frame-ancestors (modern, more control)
Content-Security-Policy: frame-ancestors 'none'; # Block all Content-Security-Policy: frame-ancestors 'self'; # Same origin only Content-Security-Policy: frame-ancestors https://partner.com; # Specific origin
frame-ancestors in CSP overrides X-Frame-Options in modern browsers. Use both for maximum compatibility.
Nginx config
add_header X-Frame-Options "SAMEORIGIN" always; add_header Content-Security-Policy "frame-ancestors 'self'" always;
When you legitimately need to be framed
If a partner site needs to embed your content, use frame-ancestors https://partner.com to allow only that specific origin. Never use a wildcard.