Clickjack Testing Tool | UI Redressing
Clickjack Testing Tool | UI Redressing
NoClickjack is a free, instant tool that checks any website for clickjacking vulnerabilities and missing security headers. Just enter your URL and secure your site with a simple scan.
What is Clickjacking?
Clickjacking (also known as UI redressing) is a deceptive attack where a malicious website hides your website inside a transparent or invisible iframe. The attacker tricks users into clicking on buttons or links they don’t see, but which exist on your real website.
How It Works:
Attacker embeds your site inside a transparent iframe.
They place fake buttons or overlays on top.
When the user clicks, the action actually happens on your site — like:
Submitting a form
Changing settings
Making a payment
Sharing something on social media
Real-World Risks:
Unauthorized transactions
Account takeovers or forced logouts
Social engineering attacks
Bypassing CSRF protections
Why It’s Dangerous:
Clickjacking can damage user trust, expose sensitive actions, and even be used to trick admins into changing critical settings.
How NoClickjack Works
Step-by-step Clickjacking Protection — Made Simple
Step 1
Enter Your Website URL
Paste any URL into the scanner. No login or signup needed.
Step 2
We Scan for Vulnerabilities
Our tool checks if your website is vulnerable to clickjacking using iframe tests and header inspection.
Step 3
Get Your Results
You’ll see whether your site is safe or at risk — with clear explanations of missing security headers.
Step 4
Fix With Our Guide
If vulnerable, you’ll get step-by-step instructions (or a plugin download) to patch the issue right away.
How to Prevent Clickjacking – Step-by-Step Guide
Clickjacking attacks are blocked by setting specific HTTP response headers that tell browsers not to render your site inside an iframe. Here’s how to secure your site, whether it’s WordPress, Apache, NGINX, or custom PHP.
Step 1: Understand the Required Headers
- X-Frame-Options: Prevents iframe embedding.
- Content-Security-Policy: Controls which domains can embed your site.
Step 2: Check If Your Site Is Vulnerable
Use the NoClickjack tool to:
- Paste your website URL
- Get iframe preview
- View vulnerability status & missing headers
Step 3: Add Security Headers
For Apache (.htaccess)
Header always set X-Frame-Options "SAMEORIGIN" Header always set Content-Security-Policy "frame-ancestors 'self';"
For NGINX
add_header X-Frame-Options "SAMEORIGIN" always; add_header Content-Security-Policy "frame-ancestors 'self';";
For WordPress (No server access)
function add_clickjacking_protection_headers() {
header('X-Frame-Options: SAMEORIGIN');
header("Content-Security-Policy: frame-ancestors 'self'");
}
add_action('send_headers', 'add_clickjacking_protection_headers');
Step 4: Re-Test Your Site
Go back to the NoClickjack tool, scan again, and make sure the status shows Safe.
Step 5: Monitor Regularly
- Use CSP reporting (advanced)
- Add security headers via your CDN (e.g., Cloudflare)
- Use NoClickjack periodically to stay protected
Example of a Safe Header Output
X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self';
Summary Table
| Step | Action | Result |
|---|---|---|
| 1 | Scan with NoClickjack | Check if your site is vulnerable |
| 2 | Add required headers | Block iframe-based attacks |
| 3 | Re-scan | Confirm safety status |
Frequently Asked Questions
How common is clickjacking?
Clickjacking is fairly common, especially among websites that do not use proper security headers. Many websites unknowingly allow themselves to be embedded in iframes, making them vulnerable to such attacks.
How to enable clickjack protection?
You can enable clickjacking protection by setting the following HTTP headers on your server:
X-Frame-Options: SAMEORIGINorDENYContent-Security-Policy: frame-ancestors 'self';
These headers instruct browsers not to render your site in iframes on unauthorized domains.
What is the recommendation for clickjacking?
Security best practices recommend setting both X-Frame-Options and Content-Security-Policy headers to restrict iframe embedding. Regularly scan your site and use tools like NoClickjack to monitor these settings.
What is frame busting?
Frame busting is a JavaScript technique that prevents a webpage from being embedded in an iframe by redirecting it to the top window. However, it’s outdated and not reliable — modern browsers may block it, so using security headers is preferred.
Which security header helps prevent clickjacking attacks?
Two key headers help prevent clickjacking:
X-Frame-OptionsContent-Security-Policy(specificallyframe-ancestors)
These should be configured at the server or application level.
What are the disadvantages of clickjacking?
Clickjacking can:
Trick users into performing actions they didn’t intend
Lead to unauthorized transactions or data exposure
Bypass CSRF protections
Damage your brand’s trust and credibility
What is UI redressing?
UI redressing is another term for clickjacking. It describes attacks where the user interface is manipulated (or “dressed”) to trick users into interacting with hidden or disguised elements.