All fix guides

How to prevent clickjacking (X-Frame-Options / frame-ancestors)

Stop attackers from embedding your site in a hidden frame to trick users into clicking.

What it is

Clickjacking loads your site invisibly inside an attacker's page so a user's clicks land on your controls without them realizing.

Why it matters

A framed page can be used to trigger actions (change settings, confirm payments) that the user never intended.

How to fix it

  1. 1Add `X-Frame-Options: DENY` (or `SAMEORIGIN` if you frame your own pages).
  2. 2Better, use CSP: `frame-ancestors 'none'` (or list allowed origins) — it supersedes X-Frame-Options in modern browsers.
  3. 3If you legitimately embed content, list only the exact origins allowed to frame you.
  4. 4Re-scan to confirm clickjacking protection is in place.

Not sure if your site is affected?

Run a free scan — or let us fix it all for you.

Privacy and cookie preferences

We use strictly necessary cookies to run the site. Analytics, marketing, and AI assistant telemetry are optional and disabled until you choose. You can update consent any time in Cookie Settings.

Some infrastructure cookies, such as load balancer routing cookies, are essential for service delivery. Details: Cookie Policy