Free Tool

Free Clickjacking Protection Test

Check whether any website is protected against clickjacking. We test for X-Frame-Options and the CSP frame-ancestors directive in seconds.

Free and instant. No account or signup needed.

What clickjacking is

Clickjacking is an attack that turns your own page against your users. The attacker loads your page inside a transparent iframe and stacks it over their own visible interface. The victim sees the attacker's page and clicks what looks like a harmless button, but the click actually lands on your hidden page underneath. With the right alignment an attacker can make a user confirm a payment, change an account setting, or grant a permission without ever knowing your page was involved.

Why X-Frame-Options and frame-ancestors stop it

The attack only works if a browser is willing to render your page inside a frame on another site. Two headers let you control that. X-Frame-Options is the older option and accepts DENY to block all framing or SAMEORIGIN to allow framing only from your own site. The CSP frame-ancestors directive does the same job with finer control, letting you name the exact origins allowed to embed your page. When either header refuses the attacker's origin, the browser simply will not load your page in their frame and the attack falls apart.

How to add protection

The modern approach is a Content-Security-Policy header with frame-ancestors 'self', which lets only your own origin embed the page and blocks everyone else. If the page should never be framed at all, use frame-ancestors 'none'. For broad coverage on older browsers, pair it with X-Frame-Options set to SAMEORIGIN or DENY. You can build a complete policy that includes frame-ancestors with the free CSP generator and copy it straight into your server configuration.

Frequently asked questions

What is a clickjacking test?

A clickjacking test checks whether a website allows itself to be loaded inside an iframe on another site. SiteSecurityScore scans the live URL you enter and reports whether the page sends X-Frame-Options or a CSP frame-ancestors directive, which are the two headers that stop framing based attacks.

What is clickjacking?

Clickjacking is an attack where a malicious site loads your page in a transparent iframe layered over its own content. The victim thinks they are clicking the attacker's page, but their clicks actually land on your hidden page. That can trigger actions like changing settings, confirming a payment, or granting a permission without the user realizing it.

What is the difference between X-Frame-Options and frame-ancestors?

X-Frame-Options is the older header and supports DENY or SAMEORIGIN to block or limit framing. The CSP frame-ancestors directive does the same job with more control, letting you list the exact origins allowed to embed your page. frame-ancestors is the modern approach and overrides X-Frame-Options in browsers that support it.

How do I fix a site with no clickjacking protection?

Add a Content-Security-Policy header with frame-ancestors 'self' so only your own origin can frame the page, or send X-Frame-Options with SAMEORIGIN for older browser coverage. If your page is never meant to be embedded anywhere, use frame-ancestors 'none' or X-Frame-Options DENY.

Does this checker scan a live site?

Yes. Enter a URL and SiteSecurityScore fetches the live response, reads the framing headers, and reports whether the page is protected in seconds. No account or signup is required.

Related tools

Security Headers CheckerCSP GeneratorX-Frame-Options guide

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan