Expert insights on AI-powered coding security, vibe-based development practices, and protecting AI-generated web applications from vulnerabilities.

· · 2 min read

What Is Clickjacking?

clickjacking security browser security web vulnerabilities
Clickjacking : A UI redressing attack where an attacker loads a target website in a transparent iframe overlaid on a malicious page. When users think they are clicking buttons on the visible page, they are actually clicking elements on the hidden target site, performing unintended actions like transferring funds, changing settings, or granting permissions.

Why It Matters for AI-Coded Apps

AI-generated applications almost never include X-Frame-Options or Content-Security-Policy frame-ancestors headers. Without these headers, any page can embed your application in an iframe, enabling clickjacking attacks that trick your users into performing actions without their knowledge.

Real-World Example

An attacker creates a page that says ‘Click here to win a prize!’ but loads your banking app in a transparent iframe positioned so that ‘Win Prize’ aligns with ‘Transfer $1000.’ Users click what they think is a game button but actually confirm a money transfer on your application.

How to Detect and Prevent It

Set the X-Frame-Options: DENY header (or SAMEORIGIN if iframing is needed). Use Content-Security-Policy with frame-ancestors 'none' or specific allowed origins. Both headers prevent your site from being loaded in iframes on unauthorized domains. Add these headers in your server configuration or middleware.

Frequently Asked Questions

What is the difference between X-Frame-Options and CSP frame-ancestors?

X-Frame-Options is older and supports only DENY, SAMEORIGIN, or ALLOW-FROM (deprecated in most browsers). CSP frame-ancestors is the modern replacement, supporting multiple specific origins. Use both headers for maximum compatibility: X-Frame-Options for older browsers and CSP for modern ones.

Can JavaScript prevent clickjacking?

Frame-busting JavaScript (if (top !== self) top.location = self.location) was historically used but is easily bypassed with sandbox attributes on iframes. HTTP headers (X-Frame-Options, CSP frame-ancestors) are the only reliable prevention method.

Does clickjacking affect SPAs?

Yes. Single-page applications are equally vulnerable to clickjacking if they lack frame protection headers. The SPA’s API endpoints can also be targeted: if clicking a button triggers an API call, the clickjacked click triggers the same call with the user’s authenticated session.

Scan your app for security issues automatically

Vibe Eval checks for 200+ vulnerabilities in AI-generated code.

Try Vibe Eval

AI Coding Security Insights.
Ship Vibe-Coded Apps Safely.

Effortlessly test and evaluate web application security using Vibe Eval agents.

GET STARTED GET A DEMO