Clickjacking Test — X-Frame-Options & Frame Embedding

An attacker loads your banking or admin login in an invisible iframe, then places fake buttons aligned with real submit controls. The victim believes they click 'Win a prize' but authorizes a transfer or changes account settings. Because the click is genuine, traditional CSRF tokens on the framed page may still submit.

Any page that performs sensitive actions without framing protection is a candidate target — not only login forms but 'confirm purchase' and 'delete account' flows.

DENY prevents all framing. SAMEORIGIN allows framing only by pages on the same scheme-host-port. ALLOWALL explicitly permits any embedder and should never be used on sensitive routes. Legacy ALLOW-FROM is largely unsupported in modern browsers.

Our test treats missing X-Frame-Options as permissive unless CSP frame-ancestors compensates.

frame-ancestors replaces X-Frame-Options in CSP Level 3. Values like frame-ancestors 'none' or frame-ancestors 'self' block untrusted embedders. frame-ancestors * allows any parent — equivalent to no protection.

When both headers exist, CSP frame-ancestors takes precedence in supporting browsers. Configure at least one restrictive directive.

Authentication endpoints are high-value clickjacking targets. Even if credentials are submitted over TLS, framing enables UI redress attacks that bypass user intent. Apply DENY or frame-ancestors 'none' on login, password reset, and payment confirmation URLs.

Marketing landing pages may intentionally allow embedding — segment policy by route rather than applying one global header.

Header analysis predicts browser behavior without rendering an iframe on our infrastructure. This is faster and safer for bulk audits. For visual confirmation, attempt to embed your page in a local HTML iframe test file after deploying headers.

Some legacy browsers ignore CSP — retaining X-Frame-Options DENY as backup remains best practice during transition periods.

JavaScript frame-busting scripts are unreliable — attackers can disable them. Rely on headers enforced by the browser engine. Partial site coverage where only homepage has DENY but /login does not leaves the vulnerable route exposed.

Third-party widgets that require iframe embedding should live on separate subdomains with relaxed policy, not on authenticated app routes.

X-Frame-Options presence contributes twenty points on the headers checker. This dedicated test interprets values and CSP interaction specifically for clickjacking risk rather than binary presence.

Run both tools on critical URLs — presence of a weak SAMEORIGIN on a site with multiple subdomains may still allow sibling subdomain attacks.

Add Content-Security-Policy: frame-ancestors 'self' or 'none' on sensitive paths. Set X-Frame-Options: DENY as defense in depth. Verify CDN does not strip security headers on HTML responses.

Retest after WAF or reverse proxy changes. Document framing policy in security architecture reviews.

We analyze HTTP headers only — not meta CSP tags in HTML body. If framing policy is set solely via meta tag, this fetch may miss it; prefer header delivery for enforcement consistency.

Redirects to a different host may serve different framing policy — test the final user-facing URL.

Pre-release QA on authentication redesigns. Bug bounty triage when researchers report UI redress. Compliance evidence for OWASP ASVS framing controls.

Pair with mixed-content and TLS checks so embedded resources do not weaken the framed page's integrity.