JAVASCRIPT

Preventing Clickjacking with X-Frame-Options Header

Protect your web application from clickjacking attacks by setting the X-Frame-Options HTTP header, preventing unauthorized embedding of your content in iframes.

const express = require('express');
const helmet = require('helmet');

const app = express();

// Use helmet.xFrameOptions to set the X-Frame-Options header
// Possible values: 'DENY', 'SAMEORIGIN', 'ALLOW-FROM uri'
app.use(helmet.xFrameOptions({ action: 'DENY' }));

app.get('/', (req, res) => {
  res.send('Your content is protected from clickjacking!');
});

app.listen(3000, () => {
  console.log('Server running on port 3000 with X-Frame-Options');
});
How it works: Clickjacking is a type of attack where an attacker attempts to trick users into clicking on something different from what they perceive. This is often done by embedding the target website in an invisible iframe or overlay. The `X-Frame-Options` HTTP header prevents a web page from being embedded in an iframe on another domain. This snippet shows how to implement it using Express.js and the 'helmet' middleware, setting the `DENY` action to completely prevent embedding, thus safeguarding users from clickjacking attacks.

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs