Clickjacking (Frame Controls and UI Redress)
On this page
Threat Model
- Attacker frames your site and overlays invisible UI.
Primary Defense
Content-Security-Policy: frame-ancestors 'none'
Legacy
X-Frame-Options: DENY
Verification
curl -I https://app.example.com
Failure Modes
- Headers applied only on root path.