Clickjack Testing Tool | UI Redressing
How to Prevent Clickjacking – Step-by-Step Guide
Clickjacking attacks are blocked by setting specific HTTP response headers that tell browsers not to render your site inside an iframe. Here’s how to secure your site, whether it’s WordPress, Apache, NGINX, or custom PHP.
Step 1: Understand the Required Headers
- X-Frame-Options: Prevents iframe embedding.
- Content-Security-Policy: Controls which domains can embed your site.
Step 2: Check If Your Site Is Vulnerable
Use the NoClickjack tool to:
- Paste your website URL
- Get iframe preview
- View vulnerability status & missing headers
Step 3: Add Security Headers
For Apache (.htaccess)
Header always set X-Frame-Options "SAMEORIGIN" Header always set Content-Security-Policy "frame-ancestors 'self';"
For NGINX
add_header X-Frame-Options "SAMEORIGIN" always; add_header Content-Security-Policy "frame-ancestors 'self';";
For WordPress (No server access)
function add_clickjacking_protection_headers() {
header('X-Frame-Options: SAMEORIGIN');
header("Content-Security-Policy: frame-ancestors 'self'");
}
add_action('send_headers', 'add_clickjacking_protection_headers');
Step 4: Re-Test Your Site
Go back to the NoClickjack tool, scan again, and make sure the status shows Safe.
Step 5: Monitor Regularly
- Use CSP reporting (advanced)
- Add security headers via your CDN (e.g., Cloudflare)
- Use NoClickjack periodically to stay protected
Example of a Safe Header Output
X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self';
Summary Table
| Step | Action | Result |
|---|---|---|
| 1 | Scan with NoClickjack | Check if your site is vulnerable |
| 2 | Add required headers | Block iframe-based attacks |
| 3 | Re-scan | Confirm safety status |