Open in app

Sign in

Write

Sign in

Clickjacking Attacks and Protecting Your Web Products

Serhii Koziy
3 min readJan 20, 2025

As a Senior Frontend Developer, securing your application is just as important as delivering a seamless user experience. One critical attack vector that every frontend developer should be aware of is clickjacking. This article will break down what clickjacking is, how it impacts applications, and the measures you can take to protect your React application (and frontend applications in general) from such attacks.

What is Clickjacking?

Clickjacking, short for “UI redressing,” is a malicious technique where an attacker tricks a user into interacting with elements of a webpage that are hidden or disguised. The user unknowingly performs actions on the attacker’s site, such as clicking a button, submitting a form, or enabling permissions, under the guise of interacting with a legitimate interface.

For example:

  • A user visits a malicious website that embeds your application’s interface inside an invisible iframe.
  • The attacker overlays a deceptive UI on top of your application’s iframe.
  • When the user clicks on a visible button or link, they are unknowingly interacting with your application (e.g., performing unintended actions like liking a post, making a purchase, or transferring funds).

Why Clickjacking is Dangerous

Clickjacking can lead to severe consequences, including:

  • Unauthorized Actions: Users might unknowingly execute actions such as financial transactions or account modifications.
  • Data Theft: Attackers could capture sensitive information through hidden fields or forms.
  • Reputation Damage: Exploiting your application in a clickjacking attack can erode user trust.

Protecting Your React Application from Clickjacking

To prevent clickjacking, you need to safeguard your application at both the frontend and backend levels. Here are the best practices and techniques:

1. Use Frame Busting Techniques

Frame busting ensures your application cannot be loaded in an iframe on unauthorized domains. You can use HTTP headers like X-Frame-Options and Content-Security-Policy.

Example 1: Setting X-Frame-Options Header

// In your server configuration (e.g., Express.js):
app.use((req, res, next) => {
  res.setHeader("X-Frame-Options", "DENY"); // Prevents framing completely
  next();
});
  • DENY: Disallows framing entirely.
  • SAMEORIGIN: Allows framing only on the same origin.
  • ALLOW-FROM: Deprecated; specify allowed domains for framing.

Example 2: Setting Content-Security-Policy Header

app.use((req, res, next) => {
  res.setHeader(
    "Content-Security-Policy",
    "frame-ancestors 'self';" // Only allows the current site to frame the content
  );
  next();
});

2. Detect and Break Out of Frames in React

You can use JavaScript to detect if your application is being framed and break out of it.

Example: Frame-Busting Script in React

import { useEffect } from "react";

const useFrameBusting = () => {
  useEffect(() => {
    if (window.self !== window.top) {
      window.top!.location.href = window.self.location.href;
    }
  }, []);
};
const App = () => {
  useFrameBusting();
  return <div>Your App Content</div>;
};
export default App;

This snippet ensures that your application breaks out of any iframe and redirects to its own context.

3. Validate HTTP Referer Headers

You can validate the Referer header on sensitive endpoints to ensure that requests originate from trusted domains.

Example: Referer Validation Middleware

app.post("/sensitive-action", (req, res) => {
  const allowedReferer = "https://yourdomain.com";

  if (req.headers.referer?.startsWith(allowedReferer)) {
    // Proceed with the action
    res.status(200).send("Action successful");
  } else {
    res.status(403).send("Forbidden: Invalid referer");
  }
});

4. Utilize SameSite Cookies

Configure your cookies with the SameSite attribute to prevent them from being sent with cross-origin requests.

Example: Cookie Configuration

res.cookie("session_id", sessionId, {
  httpOnly: true,
  secure: true,
  sameSite: "Strict", // Ensures cookies are only sent for same-site requests
});

5. Educate and Train Developers

Ensure your team understands security best practices and integrates them into the development lifecycle:

  • Regular code reviews focused on security.
  • Using tools like OWASP ZAP to test your application against common vulnerabilities.

Conclusion

Clickjacking attacks exploit trust and interface vulnerabilities, making it essential for frontend developers to stay proactive. By implementing frame-busting techniques, leveraging secure HTTP headers, validating referers, and employing secure cookies, you can effectively protect your React application and maintain user trust.

Stay vigilant, and remember: security is not a one-time effort but an ongoing process.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Front End Development
Secure
Clickjacking
Protecting
React
Serhii Koziy
Serhii Koziy

Written by Serhii Koziy

20 Followers
3 Following

No responses yet

Write a response

What are your thoughts?

More from Serhii Koziy

See all from Serhii Koziy

Recommended from Medium

Lists

Stories to Help You Grow as a Software Developer

19 stories1624 saves

General Coding Knowledge

20 stories1945 saves

Medium's Huge List of Publications Accepting Submissions

414 stories4678 saves
Robot hand touching human hand

Natural Language Processing

1977 stories1619 saves
See more recommendations

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams