PHP Security

How to Prevent Clickjacking in PHP?

Updated on: February 18, 2022

How to Prevent Clickjacking in PHP?

Clickjacking is an unauthorized way to trick an unsuspecting user into clicking a web page element that is either partly visible or is completely hidden by layering upon another element. The attacker, conveniently, hijacks the clicks and route it to some other page, which may be malicious.

The result of such an attack can highly affect your site visitors, eventually causing them to redirect to some malicious website. If your website is identified to host Clickjacking elements, it can lead to a website blacklisting and can trash your SEO efforts. Preventing the Clickjacking attacks in PHP is crucial to enhance the overall security of the site.

Here we will discuss the five Clickjacking prevention measures you can implement on your website. So read on.

What happens in a Clickjacking attack?

Usually, the hacker tries to hide the malicious webpage inside an iframe, concealing it upon the actual visible page. This way, the user gets tricked into thinking that they are clicking on a genuine link on the evident webpage. Whereas, in reality, they aren’t. This technique is also called a UI redressing attack.

In the digital era, Clickjacking has emerged as a major cybersecurity concern across the globe. In fact, many users across the website unknowingly make security mistakes that create a significant impact on user security.

Related Guide – Comprehensive PHP Security Guide

Thus, framing all the above concerns, we covered our deep insights to prevent clickjacking attacks in PHP in the next segment.

Five ways to prevent Clickjacking in PHP

1. Defending with Content Security Policy (CSP) frame-ancestors directive

 Content Security Policy (CSP) frame-ancestors directive
frame-ancestors directive

The HTTP Content-Security-Policy response header allows web site administrators to regulate the resources used by the user agents to load elements for a given page. The frame-ancestors directive used in a Content Security Policy designates the browser, whether it should be authorized to execute a page in a <frame> or not. Also, ‘Frame-ancestors’ allows a site to sanction multiple domains using the conventional interpretation of Content-Security-Policy.Besides, The Content-Security-Policy (CSP) frame-ancestors directive defines authoritative parents that may sink a page using <frame>, <iframe>, <object>, <embed>, or <applet>.

Thus, you can apply this methodology to evade Clickjacking attacks and ensure whether or not your web content is inserted into other sites.

2. Defending with X-Frame-Options Response Headers

Source: Drupal

The X-Frame-Options header is managed by a browser to execute a page in a <frame><embed> or <object>. You can use this header in your sites to avoid Clickjacking attacks. All you need to do is to anchor the X-Frame-Options header for all responses comprising HTML content. Evidently, the header values are typically classified into three types “DENY,” “SAMEORIGIN,” and “ALLOW-FROM Uri”.

Practical Implementation

In order to implement this protection measure, you need to attach the X-Frame-Options HTTP Response header to whatever page that you want to defend from being a victim of clickjacking.

Related Guide – PHP Malware Removal

Besides, You can also apply a manual approach to add the HTTP Response Header. An easier process to add the header would be to use a filter that automatically adds the header to every PHP web page, attaching itself to the web application firewall at the server level.

In order to setup X-Frame-Options SAMEORIGIN header on Apache, amend this to your site’s configuration:

Header always set X-Frame-Options "SAMEORIGIN"

The SAMEORIGIN X-Frame-Options allows only the same site to frame the content.

To configure Apache to set the X-Frame-Options DENY, add this to your site’s configuration:

Header set X-Frame-Options "DENY"

The DENY X-Frame-Options prevents any domain from framing the content.

PHP security issues & prevention steps

3. Protection through a window.confirm()

Usually, implementing a frame-breaking script is the most reliable approach to prevent Clickjacking. However, in some cases where content is frameable, window.confirm() comes to play.

window.confirm() warns the user about the action he/she is going to take by clicking on that particular element. window.confirm() does this by presenting the user with a dialog box with a specified message and OK and CANCEL buttons.

Even if the window.confirm() originates from a domain other than the parent, the dialog box shows the info of the parent domain the window.confirm() began from.

The script provided below is an illustration of practical implementation of window.confirm():

<script type="text/javascript"> 
var action_confirm = window.confirm("Are you sure you want to delete your youtube account?") 
if (action_confirm) { //... Perform action } 
else { //... The user does not want to perform the requested action.` } 

4. Best-for-now Legacy Browser Frame Breaking Script

Another efficient way to stop Clickjacking is to use the “frame-breaker” script. This script prevents a webpage from being framed in legacy browsers. For this method to work, you need to include this script on each page that is not supposed to be framed.

Usually, legacy browsers allow users to shift automatically within Chrome or another browser by enabling a set of policies that specify to launch the alternative browser. Therefore, you can use this script to prevent Clickjacking as an alternative when your webpage does not support the X-Frame-Options-Header.

To implement this preventive measure, add the following code in the HEAD element of your script. Note how an ID is added to the STYLE element. This is important for the next steps.

<style id="antiClickjack">
    body{display:none !important;}

Now, delete that STYLE element after the implementation of the script:

<script type="text/javascript">
    if (self === top) {
        var antiClickjack = document.getElementById("antiClickjack");
    } else {
        top.location = self.location;

This way, you can include everything in the document HEAD and prevent your PHP webpage from Clickjacking.

5. Defending with SameSite Cookies

 Defending with SameSite Cookies
Defending with SameSite Cookies; Source: Netsparker

The same site cookies are primarily aimed to guard against cross-site request forgery (CSRF). However, it is also intended to protect against PHP based Clickjacking attacks.

Cookies adjoined with a SameSite attribute won’t be added in requests made to a page within an <iframe> or <frame>. This implies that if session cookies are noted as SameSite, Then the authentication acquired by the victim won’t work for any Clickjacking attack. This means that cookies associated with that website won’t be sent to the attacker.

All you need to do is to amend two possible changes to the attribute:

Set-Cookie: CookieName=CookieValue; SameSite=Lax; Set-Cookie: CookieName=CookieValue; SameSite=Strict;

This procedure is explained in detail on website.

Besides, getting an automated tool like a firewall works wonders when it comes to protecting from Clickjacking. The Astra Security suite which comes primed with a firewall, a malware scanner, and several other features protects you from Clickjacking, SQLi, XSS, CSRF, LFI, RFI, and 80+ other security threats.

30,000 websites get hacked every single day. Are you next?

Secure your website from malware & hackers using Website Protection before it is too late.

Jinson Varghese

Jinson Varghese Behanan is an Information Security Analyst at Astra. Passionate about Cybersecurity from a young age, Jinson completed his Bachelor's degree in Computer Security from Northumbria University. When he isn’t glued to a computer screen, he spends his time reading InfoSec materials, playing basketball, learning French and traveling. You can follow him on Medium or visit his Website for more stories about the various Security Audits he does and the crazy vulnerabilities he finds.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany