Protect your website against Clickjacking
Some time ago we received a report via our security bounty program . An observant participant had discovered that our website was vulnerable to clickjacking. Clickjacking is a technique in which malicious parties trick users into clicking on something they did not intend to do, such as downloading malware or sending sensitive information.
In this blog we will explain what clickjacking exactly is and how you can protect your website and users against it.
What is Clickjacking?
Clickjacking is an attack where a user clicks on an element that is invisible or disguised as something else. This can lead to unwanted actions such as downloading malware, visiting malicious websites, or inadvertently sharing sensitive data.
Different types of clickjack attacks include:
- Likejacking: This involves manipulating the “like” button on Facebook, for example, so that you unknowingly “like” a different page than you actually intended.
- Cursorjacking: This tricks you into displaying the position of your mouse cursor on the screen differently than where it actually is.
Now that you know what clickjacking is, it's important to understand how to protect yourself against it.
How does Clickjacking work?
Clickjacking often works through a technique where a hacker places an invisible layer over your website, usually via an iframe. This layer can replace your links and buttons with its own, without the visitor noticing. For example, a hacker can place an invisible Facebook "Like" button to collect likes and thus rank higher in search results. This is a typical example of likejacking.
What can you do against Clickjacking?
Fortunately, not all websites are equally interesting to hackers, but that does not mean that you are not at risk. Fortunately, there is a simple solution: the X-FRAME-OPTIONS header. This is a mechanism that browsers use to prevent clickjacking. When your web server sends this header, the browser checks whether the page can be loaded safely. If that is not the case, the browser blocks the page.
LinQhost Solution
At LinQhost we have a solution to prevent clickjacking. We make sure that all web servers send the X-FRAME-OPTIONS with the value SAMEORIGIN. This allows iframes to only be loaded from your own domain, which means that hackers cannot put malicious layers on top of your website.
You don't have to do anything! We will roll out this update in the coming days and make sure that your website, your customer data and your visitors are safe from clickjacking.
Related Articles
Fix for 502 Bad Gateway when loading your website
Visiting your website and see that it keeps loading? After a long wait, the annoying message appears: 502 Bad Gateway. What exactly does this mean, and what can you do to prevent this? What causes a 502 Bad Gateway? When your website throws a 502 ...Limiting the nuisance of Bots, Crawlers and Spiders
Bots and crawlers help search engines like Google find and rank your website. But too much activity from these bots can slow down your website’s performance. Here, we’ll discuss how to stop unwanted bots and make your website run faster and more ...Web Hosting and Security Risks
When you think about securing your business data, web hosting is often not the first thing that comes to mind. However, ignorance and lack of security measures often lead to major problems. Think of hacked websites that spread spam, data loss and ...Edit Hosts File in Windows 10
A question we regularly get from our customers is: “How can we test our website in advance; our website is currently still hosted by another internet company”. If your website is on a Linqhost server, but the domain name of which does not yet refer ...Optimize your security with a security.txt policy
At LinQhost, security always comes first. However, it can happen that something is overlooked, no matter how careful you are. Fortunately, there are ethical hackers, also called white hat hackers, who like to track down and report vulnerabilities. ...