aegis · May 9, 2026 · 5 min read

X-Frame-Options & CSP frame-ancestors: 2026 Anti-Clickjacking

Clickjacking lets attackers turn user clicks into unauthorized actions. Two HTTP headers secure your application.

CAI Technology · Last reviewed: 5/9/2026

X-Frame-Options & CSP frame-ancestors: 2026 Anti-Clickjacking

In Short

Clickjacking (UI redress attack) is an attack where a malicious site loads your site within a transparent iframe over its own content. The user believes they are clicking on the attacker’s site, but they are actually clicking inside your iframe — logging out, transferring money, sharing a post, liking, changing settings — using their authenticated session.

Two headers block this attack:

X-Frame-Options (RFC 7034) — legacy, but supported by older browsers
CSP frame-ancestors — modern, takes priority in 2026

Best practice: set both for maximum compatibility.

Concrete Attacks

The “Win iPhone” Case

The attacker builds a fake site with a “Win iPhone — click here” button. Overlaid on the button is a transparent iframe loading https://internetbanking.company.ro/transfer (accessible if the user is authenticated to the banking app in another tab). Click → executes the transfer action with the legitimate session.

The attacker’s site features a “Play video” button. Overlaid on the button is a transparent iframe containing the “Like” button of a Facebook page. The user thinks they are playing a video, but they are actually liking the page. Artificial boost, brand abuse.

Account Takeover via Password Reset

The attacker iframes company.ro/account/security with the “Add recovery email” button. The user, with an active session and unaware, adds the attacker’s email → subsequent password reset sends the link to the attacker.

Modern Protection: CSP frame-ancestors

Content-Security-Policy: frame-ancestors 'none';

No site can load you in an iframe. Default recommendation for sensitive applications (banking, admin panels).

For applications that allow iframing on their own site:

Content-Security-Policy: frame-ancestors 'self';

Or for specific partners (e.g., an embed platform):

Content-Security-Policy: frame-ancestors 'self' https://partner.com;

Legacy Protection: X-Frame-Options

For older browsers that do not support CSP frame-ancestors (very rare in 2026):

X-Frame-Options: DENY

Or:

X-Frame-Options: SAMEORIGIN

X-Frame-Options has 2 limitations compared to CSP:

Does not accept multiple origin lists (only DENY, SAMEORIGIN, or ALLOW-FROM <single>)
ALLOW-FROM is not supported by Chrome / Safari

→ Use CSP frame-ancestors as primary, X-Frame-Options as fallback.

Step-by-Step Implementation

Step 1 — Identify applications that should not be iframed

Banking apps, admin panels, user dashboards, payment forms, OAuth flows — all require frame-ancestors 'none'.

Step 2 — Set the header globally on HTML responses

nginx:

add_header Content-Security-Policy "frame-ancestors 'none'" always;
add_header X-Frame-Options "DENY" always;

Apache:

Header always set Content-Security-Policy "frame-ancestors 'none'"
Header always set X-Frame-Options "DENY"

Caddy:

header Content-Security-Policy "frame-ancestors 'none'"
header X-Frame-Options "DENY"

Express (Node.js):

app.use(helmet.frameguard({ action: 'deny' }));
app.use(helmet.contentSecurityPolicy({ directives: { 'frame-ancestors': ["'none'"] } }));

Step 3 — Verification

curl -I https://company.ro | grep -i "x-frame\|frame-ancestors"

Online test: https://csp-evaluator.withgoogle.com/

Step 4 — Pages that allow iframing (exceptions)

If you have pages intended for iframing (widgets, embeds), set the following on those specific pages:

Content-Security-Policy: frame-ancestors 'self' https://partner.com

Instead of 'none'. Granular per-route.

Common Confusions

“X-Frame-Options is sufficient — I don’t need CSP anymore.” — In 2026, modern browsers (Chrome 90+, Firefox 90+) prioritize CSP frame-ancestors. X-Frame-Options remains a backup.

“frame-ancestors 'none' breaks my Stripe checkout.” — No. Stripe Checkout loads its own iframes into your page — that is protected by frame-src, not frame-ancestors. Fundamental difference.

“Clickjacking is an old problem, no longer practiced.” — Incorrect. In 2024-2025, there were active clickjacking attacks on crypto wallets (MyEtherWallet 2024, MetaMask phishing). Active vector.

Check Now

ARTEMIS detects missing X-Frame-Options + CSP frame-ancestors in any Site scan for 2 EUR. Plus 36 other technical checks.

🔗 Complementary CAI Technology Solutions

ARTEMIS — X-Frame-Options + CSP verification + 36 other tests.
Auditope — Holistic web audit (SEO + AI search + Performance + GDPR + WCAG).
Lexnomia — EU compliance assessment (NIS2 / GDPR / PCI-DSS).
BeLegal — Free 5-minute EU compliance check.
AriaUnited — European funds consultancy for cybersecurity investments.

tehnic@caitech.ro