What is Clickjacking? - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Get started](/register)

[Login](/login)[Start pentest](/register)

[Home](/)[Glossary](/glossary)Clickjacking[Back to Glossary](/glossary)Clickjacking
============

An attack that tricks users into clicking hidden elements on a transparent overlay, performing unintended actions on a trusted website.

vulnerabilitybrowser securityUI attack

Clickjacking (also known as UI redressing) is an attack where a malicious page embeds a target website in a transparent iframe and positions it so that user clicks intended for the malicious page are actually performed on the hidden target site. This can trick users into performing actions like changing settings, making purchases, or granting permissions without their knowledge.

The attack works by layering an invisible iframe over a decoy page. When the user clicks what they think is a button on the visible page, they're actually clicking a button on the hidden target site where they're already authenticated.

Defenses include the X-Frame-Options header (DENY or SAMEORIGIN), Content-Security-Policy frame-ancestors directive (the modern replacement), and JavaScript frame-busting code (less reliable). The CSP frame-ancestors directive is the recommended approach as it offers more granular control than X-Frame-Options.

How APVISO tests for this: APVISO's pentester agent checks for missing or misconfigured X-Frame-Options and CSP frame-ancestors headers. It verifies that sensitive pages (login, settings, payment) are properly protected against framing by external sites.

Related Terms
-------------

[Cross-Site Scripting (XSS)](/glossary/cross-site-scripting)[Cross-Site Request Forgery (CSRF)](/glossary/csrf)[Security Misconfiguration](/glossary/security-misconfiguration)

Test your applications for clickjacking vulnerabilities
-------------------------------------------------------

APVISO's AI agents automatically test for this and many more vulnerability categories.

[Contact sales](/contact)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Sentinel](/sentinel)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.
