How do I test if my website prevented Clickjacking?

Question

I was asked to check how to prevent Clickjacking on our website.

I did some research and this is what I understand, please correct me if I'm wrong: The attacker will use iframe to layer their website over your website, then make their iframe transparent. When user click on a button on our website, they are actually clicking on hacker website. To prevent this, disable iframe on our website.

I went to this website to check, but I got this error:

Couldn't find the X-Frame-Options header in the response headers.

What it means? I'm not sure.

I also searched online and found that you need to add this code in .htaccess

    <IfModule mod_headers.c>
  Header always append X-Frame-Options SAMEORIGIN
</IfModule>

But how do I know if it works?

Answer 1

Clickjacking is about an attacker using an iframe on their website to include yours, with tricks like making your website's iframe transparent. The point is that if a user is logged on to your website (the victim), your website will load the user's content, and the attacker can visually position elements on their website (over your invisible website's iframe for example) so that an unsuspecting user visiting the attacker website will click things in your application. This works, because without further protection of the authentication token (eg. session cookie), your website will just load the user's authenticated content in the iframe.

You could argue that if it loads in the iframe on the attacker's site, why don't they just read or do whatever they want. That's not possible though, because the same origin policy prevents javascript on the attacker's origin from accessing content from another origin (yours), even if it's on the same page in an iframe. But they can possibly make the user perform actions by inadvertently clicking stuff they didn't want to.

This was used to gather likes on Facebook for example, Facebook was loaded in an invisible iframe on malicious sites, and then something like an advertisement's close button was positioned right over a Facebook like button - you tried to close the annoying ad, and in fact liked something you didn't want to.

One protection against this is that your app (or Facebook in the example above) should not allow itself being displayed in an iframe. And that's exactly what X-Frame-Options does. With the value 'deny' it will just never be displayed in an iframe, with 'sameorigin' your own origin (~domain name) can display parts of itself in iframes, but other origins cannot (so an attacker cannot include your site on a different domain).

X-Frame-Options is an http response header, so to check that it works, you can use the network tab of the developer tools in your browser. In most browsers you hit F12, choose the network tab, load your website, find and click the initial request that downloaded the actual page, and you can inspect the list of response headers. That should include X-Frame-Options with the value 'deny' or 'sameorigin'.

You can also use online tools to perform these simple scans (see the other answer for an example), but I think it's worth to actually understand what and why you're doing.

Answer 2

You can get the more details of X-Frame-Options on below https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

You can add below snippet code on last of your server .htaccess file and test the site on https://clickjacker.io/test .

<IfModule mod_rewrite.c>
    Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>