Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.
Start your free trial
Andy Stevens
Front End Web Development Techdegree Graduate 20,417 PointsWhat is the best way to prevent clickjacking?
Hi all,
I have developed a web application within Google app script for our organisation, this is going to be embedded in an iFrame on our CMS (content management system). I know that iFrame's are susceptible to clickjacking and haven't covered any topics on how to secure my application. What is the best way within Google app script to secure the web app?
Any advice or guidance that can be given would be greatly appreciated. I am of the understanding that my options within Google app script are limited , still I need to ensure that I am not putting client special category data at risk when I launch the application.
Kind regards Andy
1 Answer
Steven Parker
231,153 PointsAny page can be susceptible to clickjacking, not just ones that are be displayed in iframes. But it might be a bit easier for the attacker if the page is intended to be displayed that way.
The only effective strategy that I know of is to use X-Frame-Options headers in the server, and enforce the SAMEORIGIN restriction. Then an attacker's site won't be able to display your page in their own iframe (remember that clickjacking only occurs when the victim is already connected to the attacker's website).
For more details, see the MDN page on X-Frame-Options.