EncryptCodecencryptcodec
Simulations/Clickjacking

Clickjacking

Beginner

A transparent iframe overlays your bank's "Transfer" button on an evil site. You click "Win a Prize!" — and unknowingly confirm a $5,000 transfer. Fix it with X-Frame-Options and CSP.

Progress:
1
Trigger the Attack
2
Block with X-Frame-Options
3
Block with CSP frame-ancestors
🎭 evil.site — the attacker's page
🎉 You're a winner!
Click the button below to claim your prize!
← iframe overlay (opacity:0)
🛡 Bank response headers
X-Frame-Options
CSP frame-ancestors
Browser / server log
Click the prize button or check headers…

Challenges

1
Trigger the Attack
With no headers set, click the button on the evil site — and watch it trigger the bank's hidden transfer.
hints
2
Block with X-Frame-Options
Set X-Frame-Options to DENY. Confirm the browser refuses to load the bank inside the iframe.
hints
3
Block with CSP frame-ancestors
Also enable Content-Security-Policy: frame-ancestors 'none'. This is the modern standard.
hints
How to fix Clickjacking
X-Frame-Options, CSP frame-ancestors, framebusting

Frequently Asked Questions