SecPrep logoSecPrep

Which HTTP response header primarily prevents clickjacking?

  • 1Strict-Transport-Security
  • 2X-Frame-Options✓ correct
  • 3X-Content-Type-Options
  • 4Referrer-Policy

  • X-Frame-Options: DENY/SAMEORIGIN prevents embedding in iframes, blocking clickjacking. Modern equivalent: Content-Security-Policy: frame-ancestors 'none'.

X-Frame-Options (or frame-ancestors in CSP) prevents the page from being framed.

References

Practice this in the app →