What is Clickjacking?
Turkish: Clickjacking
Clickjacking tricks users into clicking hidden or disguised interface elements, often by framing a trusted page inside another site.
What is Clickjacking?
Clickjacking is an interface attack where the user sees one thing but actually clicks something else. An attacker may load a trusted page inside an iframe, cover it with fake controls, or route a click to an invisible element.
For example, a user may think they are clicking a harmless game button while their active session on another site is used to approve a setting change. The risk is higher on admin panels and pages that perform sensitive actions while the user is logged in.
How to Prevent It
The primary defense is preventing sensitive pages from being framed by other sites. X-Frame-Options can be set to DENY or SAMEORIGIN. The more modern and flexible approach is defining the frame-ancestors directive in Content-Security-Policy.
Re-authentication for critical actions, CSRF protection, clear confirmation text, and interface patterns that make user intent explicit can reduce impact. Still, security headers are the core browser-level defense against framing abuse.
Security headers are central to clickjacking protection. XSS is a different attack class, but both depend on configuring the browser security model correctly.