SiteShadow
Back to vulnerability library
Detected byPro-tier static analysisPro

CLICK01 Clickjacking Protection Missing

What this means

SiteShadow flagged missing or weak frame protections that allow your pages to be embedded in a malicious site (UI redressing / clickjacking).

Why it matters

Clickjacking can trick users into performing actions inside a hidden iframe.

Safer examples

1) Set Content-Security-Policy: frame-ancestors

This is the modern, preferred control.

Example policy:

2) Set X-Frame-Options as a legacy fallback

Use DENY or SAMEORIGIN depending on your needs.

3) Protect the highest-risk pages

Admin, billing, OAuth consent, and any state-changing UI should never be embeddable by untrusted origins.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.