ClickJack Test

Clickjacking is an attack where a site tricks a user into clicking something they did not intend to. An attacker loads your page inside a transparent iframe layered over their own site. The user sees the attacker's page — but their clicks land on yours.

Two HTTP response headers prevent this. A site needs at least one of them to be protected:

• X-Frame-Options — set to DENY (block all embedding) or SAMEORIGIN (allow only your own domain). The ALLOW-FROM directive is obsolete and ignored by modern browsers.
• Content-Security-Policy: frame-ancestors — the modern approach. Use frame-ancestors 'none' (equivalent to DENY) or frame-ancestors 'self' (equivalent to SAMEORIGIN). Supported in all browsers since 2018.

This tool sends a HEAD request to your URL and checks whether either header is present with a restrictive value. It does not test JavaScript-based frame-busting scripts, which are unreliable and easily bypassed. A “Protected” result means your server returned a valid defense header. “Vulnerable” means neither was detected — add one.