Tweet

Clickjacking(X-Frame-Options header option not set)

ClickJacking Demo This type of attack occurs when a malicious site tricks a user into clicking on a concealed element of another site which they have loaded in a hidden frame or iframe.

Click Jack Demo



			Preventing clickjacking
=======================

> Modern browsers honor the `X-Frame-Options`_ HTTP header that indicates whether or not a resource is allowed to load within a frame or iframe. If the response contains the header with a value of ``SAMEORIGIN`` then the browser will only load the resource in a frame if the request originated from the same site. If the header is set to ``DENY`` then the browser will block the resource from loading in a frame no matter which site made the request.

Browsers that support X-Frame-Options ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

* Internet Explorer 8+ * Firefox 3.6.9+ * Opera 10.5+ * Safari 4+ * Chrome 4.1+