Defaults.Exposed › Glossary › Clickjacking

Clickjacking

Also known as: UI redress attack, click hijacking

A trick where your real website is hidden inside an attacker's page so visitors click things they can't see — defended by a simple setting that stops your site being framed.

What it is

Clickjacking is a deception. An attacker loads your genuine website invisibly on top of (or beneath) their own page, then lures a visitor into clicking what looks like a harmless button. In reality the click lands on your hidden site — confirming a payment, changing a setting, or approving something the visitor never intended. Your real site is doing exactly what it’s told; the visitor just can’t see what they’re actually clicking.

Why it matters to your business

If your site can be silently embedded in someone else’s page, a scammer can puppet your customers into actions on their own accounts — and to the customer it will look like your site did it. That’s a direct hit to trust, and potentially to your customers’ money.

The defence is straightforward: a setting that tells browsers “don’t allow my site to be displayed inside another site’s frame.” It’s invisible to legitimate visitors and shuts the technique down entirely. There’s rarely a reason for an ordinary business site to be embeddable elsewhere, so this is usually a safe, free win.

How to tell / what to do

Our free checker tells you whether your site is protected against being framed. If it isn’t, the clickjacking fix guide shows how to add the protective setting — a small change made by whoever manages your website, at no cost.

Want to fix this on your own domain? See the free guide →