All fix guides
How to prevent clickjacking (X-Frame-Options / frame-ancestors)
Stop attackers from embedding your site in a hidden frame to trick users into clicking.
What it is
Clickjacking loads your site invisibly inside an attacker's page so a user's clicks land on your controls without them realizing.
Why it matters
A framed page can be used to trigger actions (change settings, confirm payments) that the user never intended.
How to fix it
- 1Add `X-Frame-Options: DENY` (or `SAMEORIGIN` if you frame your own pages).
- 2Better, use CSP: `frame-ancestors 'none'` (or list allowed origins) — it supersedes X-Frame-Options in modern browsers.
- 3If you legitimately embed content, list only the exact origins allowed to frame you.
- 4Re-scan to confirm clickjacking protection is in place.
Not sure if your site is affected?
Run a free scan — or let us fix it all for you.