Clickjacking Protection

Clickjacking is an attack on browser security that can mislead your customers into clicking a concealed link.

On a clickjacked page, attackers load another page in a transparent layer over your original page. Users think they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may even be an authentic one, such as a page from a well-known, reputable business. This makes it possible for attackers to trick your customers into performing unintended actions.

A common defense against clickjacking is to attempt to block the site you are trying to protect from being loaded into a frame.

The ClickjackPrevention widget, included by default in the standard and mobile templates, ensures that your customer portal cannot be viewed inside a frame or iFrame.

If you do not use frames, you can edit the standard.php file of your template file to minimize the risk of clickjacking. For the complete procedure, see Remove ClickjackPrevention from the Template.

For more information on clickjacking, including definitions for X-Frame-Options response headers, search for the Clickjacking Defense Cheat Sheet on the OWASP Foundation website.