Clickjacking is a type of attack in which the victim unknowingly clicks on a fraudulent link. While browsing, the user clicks on an invisible link overlaid on top of another link (see image). Clickjacking mainly exploits invisible framing or “iframe” techniques to overlay fraudulent pages or buttons on top of legitimate content. In practice, the victim believes they are interacting with the official site when in fact they are clicking on a hidden malicious element. Beyond stealing credentials, this technique can allow an attacker to remotely trigger actions the user never intended, such as automatically sharing sensitive information, silently installing malware, or altering security settings without any visible consent. Impacts:
- Leading the user to click on a link that takes them to a fraudulent site (viruses, spyware and more);
- An attacker can capture users’ credentials and use that information to log in to the site.
For WordPress site owners
You can easily protect your site and your users by installing the WP Anti-Clickjacking plugin. Note that your site will no longer be usable inside an “iframe,” but this is very rarely necessary; if in doubt, feel free to write to us at support@zaa.cc or call us at +1 514 723-2673. https://en-ca.wordpress.org/plugins/wp-anti-clickjack/
For SPIP site owners or those who would rather not use the plugin
A manual change is possible to protect your sites. Here’s how to add the X-Frame-Options HTTP header to your website:
Using .htaccess
Add these lines to your .htaccess file located at the root of your site:
apache # Protect against clickjacking by preventing display inside an iframe Header always append X-Frame-Options "DENY" OR, if you want to allow only your own site to be embedded in an iframe on the same domain: apache # Allow iframes only from the same domain Header always append X-Frame-Options "SAMEORIGIN"