What is clickjacking (UI redressing), and how do you defend against it in layers?

Clickjacking tricks a victim into clicking something other than what they perceive: the attacker loads your site in a transparent or disguised <iframe> and overlays decoy UI, so a click meant for the decoy actually lands on a sensitive control of your framed page (e.g. delete account, a payment confirm, an OAuth consent). It's a form of UI redressing; variants include likejacking (social actions) and cursorjacking.

Primary defense — refuse to be framed: send Content-Security-Policy: frame-ancestors 'none' (or 'self'/a trusted allowlist), with X-Frame-Options: DENY as a legacy fallback. Secondary, defense-in-depth: SameSite=Lax/Strict cookies so state-changing requests inside a cross-site frame don't carry the session, and an explicit re-confirmation/re-auth step on destructive actions. Legacy JavaScript frame-busting should never be the only control.