As part of the Cyber Security training I am doing, a deliverable is to write a web application that prevents clickjacking attacks.
What is clickjacking?
Clickjacking refers to any attack where the user is tricked into clicking, allowing for malicious content to be executed. Clickjacking can often occur on web pages that make use of iframes. Ultimately, it is the art of tricking the user and exploiting their trust.
Two techniques you can use to prevent clicktracking
One method is to make use of HTTP headers as recommended by OWASP, who suggest we should hide the entire body of the HTML document and only show it after verifying that the page is not framed.
The X-Frame-Options header specifies if a page can be embedded in a , , <embed> or <object> element.
Within the header options, you have a few choices:
- block all framing
- sameorigin to allow framing only by pages of the same origin (sensible)
- allow-from to allow framing by pages from specified URIs – which does not provide cross-browser compatibility.