Clickjacking protection is essential for safeguarding web applications and ensuring user interactions on a website are not hijacked by malicious actors. This guide delves into the methods and best practices for implementing clickjacking protection, including specific approaches for WordPress and Salesforce Visualforce pages.

What is Clickjacking Protection?

Clickjacking protection refers to the security measures used to prevent malicious embedding of web pages in iframes, where attackers trick users into performing unintended actions. 

These protections ensure that a webpage cannot be loaded within an unauthorized iframe, thereby preserving user trust and preventing unauthorized actions.

Why Clickjacking Protection Matters

Clickjacking can:

• Expose sensitive data.
• Lead to unauthorized actions like fraudulent transactions.
• Undermine user trust in a platform.

Implementing Clickjacking Protection

1. Using HTTP Headers

The most effective way to prevent clickjacking is to use specific HTTP headers that control how and where a webpage can be embedded.

X-Frame-Options Header

The X-Frame-Options header tells the browser whether a webpage can be displayed in an iframe.

• Options:
  • DENY: Prevents the page from being displayed in any iframe.
  • SAMEORIGIN: Allows the page to be displayed only if the request comes from the same domain.
  • ALLOW-FROM [URL]: Permits embedding from specific origins (deprecated in modern browsers).

Example:

X-Frame-Options: SAMEORIGIN

Content Security Policy (CSP)

The frame-ancestors directive in a CSP provides a more modern approach to controlling iframe embedding. It offers greater flexibility and is supported by most modern browsers.

Example:

Content-Security-Policy: frame-ancestors ‘self’ https://trusted-site.com;

Clickjacking Protection for WordPress

WordPress websites are often targeted due to their widespread use. Here’s how to secure WordPress against clickjacking:

1. Enable Clickjacking Protection via Plugins

Plugins like HTTP Headers or iThemes Security can simplify the process of adding security headers to your WordPress site.

2. Modify .htaccess File

Add the following code to your .htaccess file to implement X-Frame-Options:

<IfModule mod_headers.c>

    Header always append X-Frame-Options SAMEORIGIN

</IfModule>

3. Custom Theme Functions

Add the following PHP code to your theme’s functions.php file to set the X-Frame-Options header:

function add_security_headers() {

    header(‘X-Frame-Options: SAMEORIGIN’);

}

add_action(‘send_headers’, ‘add_security_headers’);

Clickjacking Protection for Salesforce Visualforce Pages

Salesforce provides built-in options to enable clickjacking protection for Visualforce pages:

1. Enable Clickjacking Protection

To enable clickjacking protection for Visualforce pages:

• Navigate to Setup > Session Settings.
• Enable the following options:
  • Enable clickjack protection for customer Visualforce pages with standard headers.
  • Enable clickjack protection for customer Visualforce pages with headers disabled.

2. Use the X-Frame-Options Header

For more granular control, you can configure the Visualforce page’s headers to include the X-Frame-Options directive.

Advanced Clickjacking Protection Techniques

1. Basic Clickjacking with CSRF Token Protection

Combining CSRF tokens with clickjacking protection ensures additional security:

• Generate and validate CSRF tokens for form submissions.
• Use headers like X-Frame-Options to block unauthorized iframe usage.

2. Protecting on the Server Side

Server-side measures include:

• Validating referrer headers to ensure requests originate from authorized sources.
• Dynamically generating session-specific tokens for requests.