Back to vulnerability library

CLICK01 Clickjacking Protection Missing

What this means

SiteShadow flagged missing or weak frame protections that allow your pages to be embedded in a malicious site (UI redressing / clickjacking).

Why it matters

Clickjacking can trick users into performing actions inside a hidden iframe.

Users can be tricked into clicking "Delete", "Authorize", "Transfer", etc. while seeing something else.
Works especially well against admin panels and OAuth/consent flows.

Safer examples

1) Set `Content-Security-Policy: frame-ancestors`

This is the modern, preferred control.

Example policy:

frame-ancestors 'none' (best default for most apps)
or allowlist only your own domains if embedding is required

2) Set `X-Frame-Options` as a legacy fallback

Use DENY or SAMEORIGIN depending on your needs.

3) Protect the highest-risk pages

Admin, billing, OAuth consent, and any state-changing UI should never be embeddable by untrusted origins.

How SiteShadow detects it (high level)

Flags responses/config that lack frame-ancestors / X-Frame-Options for web apps.
Highlights when sensitive pages are served without frame protections.

References

OWASP Top 10: https://owasp.org/Top10/

---

← Back to Vulnerability Library

Request access View coverage