What is clickjacking?

Clickjacking is an attack where a site tricks a user into clicking something they did not intend to. An attacker loads your page inside a transparent iframe layered over their own site. The user sees the attacker's page -- but their clicks land on yours.

Two HTTP response headers prevent this. A site needs at least one of them to be protected:

X-Frame-Options -- set to DENY (block all embedding) or SAMEORIGIN (allow only your own domain). The ALLOW-FROM directive is obsolete and causes modern browsers to ignore the entire header.
Content-Security-Policy: frame-ancestors -- the modern approach. Use frame-ancestors 'none' (equivalent to DENY) or frame-ancestors 'self' (equivalent to SAMEORIGIN). Unlike most CSP directives, frame-ancestors does not fall back to default-src. Supported in all browsers since 2018.

This tool sends a HEAD request to your URL and checks whether either header is present with a restrictive value. It does not test JavaScript-based frame-busting scripts, which are easily bypassed. A “Protected” result means your server returned a valid defense header. “Vulnerable” means neither was detected -- add one.

X-Frame-Options vs CSP frame-ancestors: the sharp edges -- ALLOW-FROM nullification, default-src gotcha, meta tags, and ancestor chain checking.