On This Page

Clickjacking Prevention

Clickjacking (also known as user-interface redress attack and iframe overlay) is used by attackers to trick users into clicking on a transparent layer (with malicious code) above legitimate buttons or clickable content for a site. To prevent clickjacking, you must prevent third-party sites from including your website within an iframe.

While no security remediation can prevent every clickjacking, developers must implement in accordance with relevant industry standards and guidelines, such as PCI DSS and Open Worldwide Application Security Project (OWASP) when using and securing iframes.

You are required to implement the recommended prevention techniques in your website. For more information on PCI DSS and OWASP, see these websites:

PCI DSS v4

OWASP website

OWASP Clickjacking Defense Cheat Sheet

OWASP Cross Site Scripting Prevention Cheat Sheet

Web application protections for Cross-Site Scripting (XSS) must also be incorporated.

For XSS protection, you must implement comprehensive input validation and the OWASP-recommended security encoding library to do output encoding on your website.

For CSRF protection, you are strongly encouraged to use a synchronized token pattern. This measure requires generating a randomized token associated with the user session. The token will be inserted whenever an HTTP request is sent to the server. Your server application will verify that the token from the request is the same as the one associated with the user session.