Clickjacking in 2026: A Persistent Threat

TL;DR · Key insight

Despite advancements in security protocols, clickjacking remains a prevalent threat in 2026. Learn how modern applications still fall prey to this vulnerability and how Pentestas addresses it effectively.

Introduction to Clickjacking in 2026

Clickjacking, often referred to as a "UI redress attack," is a technique where attackers trick users into clicking on a different element than they perceive. Despite being identified over a decade ago, it remains a prevalent threat in web security. In clickjacking, an attacker overlays a malicious page on a legitimate one, enticing users to perform unintended actions like changing settings or initiating transactions. As web applications continue to evolve, the complexity and subtlety of such attacks have also increased, keeping clickjacking relevant in today's security landscape.

Historically, clickjacking emerged as a significant threat in the early 2010s, with attackers exploiting iframe-based overlays. Over time, the security community has developed several countermeasures, including the use of the X-Frame-Options HTTP header and the Content Security Policy's frame-ancestors directive. However, as websites grow more interactive and complex, attackers continue to find new ways to circumvent these protections, keeping the battle against clickjacking ongoing.

The persistence of clickjacking, despite advancements in security, can be attributed to several factors. First, the sheer diversity of web applications, each with its unique architecture and security posture, creates a wide array of potential attack vectors. Additionally, the human factor—such as user awareness and the frequent neglect of security headers by developers—contributes significantly to the prevalence of clickjacking. Common vectors today include compromised ad networks and malicious third-party widgets, which can surreptitiously introduce clickjacking vulnerabilities into otherwise secure websites.

Pentestas' Approach to Clickjacking

At Pentestas, we employ a combination of automated tools and manual testing to identify clickjacking threats. Our platform analyzes the implementation of security headers and tests the resilience of web applications against iframe-based attacks. By simulating various attack scenarios, we help organizations fortify their applications against these insidious threats.

The Limitations of X-Frame-Options

The X-Frame-Options header was introduced to prevent clickjacking by controlling whether a browser should render a page in a <frame>, <iframe>, or <object>. It can be set to DENY, SAMEORIGIN, or ALLOW-FROM, each dictating different levels of framing permissibility. Despite its straightforward concept, incorrect configurations are commonplace, leading to vulnerabilities.

One common mistake is setting X-Frame-Options to ALLOW-FROM with a non-existent domain. Even though it seems like a cautious approach, it can lead to browser inconsistencies. Some browsers may ignore the header altogether, leaving the application vulnerable. Attackers exploit these lapses by using modern techniques such as exploiting the browser's quirks or leveraging JavaScript to manipulate the DOM.

A notable case study involved a finance application that had implemented X-Frame-Options: SAMEORIGIN. Yet, an attacker was able to bypass this by utilizing a legacy system that was part of the same origin but wasn’t intended to be publicly accessible. The attacker framed the legacy interface within an invisible iframe, leading users to unknowingly execute transactions.

Header set X-Frame-Options "ALLOW-FROM https://trusted.com"

# This configuration is often misused by setting an incorrect domain.
# Browsers like Chrome may ignore the header if the domain is not valid.

At Pentestas, our approach to identifying these misconfigurations involves simulating potential attack vectors that exploit inadequate use of X-Frame-Options. We analyze response headers and test access across various origins to ensure that no unintended data leakage occurs. By conducting thorough penetration tests, we help applications stay one step ahead of attackers who aim to exploit these vulnerabilities.

CSP Frame-Ancestors: The Modern Solution?

The introduction of Content Security Policy (CSP) has been a game-changer for web security, allowing developers to define which sources can load content on their sites. A key directive within CSP is frame-ancestors, which specifies valid parent sources that may embed a page. This directive is crucial in preventing clickjacking attacks, where attackers load your site in an invisible iframe to steal clicks. Compared to the older X-Frame-Options, frame-ancestors offers more flexibility and broader browser support.

One of the primary advantages of using CSP frame-ancestors over X-Frame-Options is its ability to specify multiple domains, offering fine-grained control over who can embed your site. This is particularly useful in complex web applications where content needs to be shared across multiple trusted domains. Additionally, while X-Frame-Options only supports DENY or SAMEORIGIN, frame-ancestors can whitelist specific origins, offering greater precision in security policies.

Despite its advantages, implementing frame-ancestors can be challenging. Developers often face complexities in maintaining a comprehensive list of trusted domains, especially in environments where third-party services are frequently integrated. There is also the risk of inadvertently blocking legitimate content if the policy is too restrictive. At Pentestas, we recommend a phased approach where frame-ancestors policies are first tested in report-only mode to gather insights without impacting user experience.

Content-Security-Policy: frame-ancestors 'self' https://trusted.partner.com;

In comparing CSP to traditional frame-based security measures, it's clear that CSP offers a more robust and flexible solution. While X-Frame-Options remains a viable option for simple scenarios, the frame-ancestors directive is better suited for complex applications requiring nuanced control. Our implementation strategy at Pentestas involves actively monitoring and updating CSP policies to adapt to changing security requirements, ensuring our clients' applications remain secure from evolving threats.

OAuth Consent Clickjacking: A Rising Concern

OAuth 2.0 is a widely adopted framework that provides applications the ability to secure designated access to user data. It is the backbone of many web services that require authentication and authorization, such as Google, Facebook, and GitHub. OAuth’s consent flow allows users to grant third-party applications specific permissions without sharing their credentials. However, this process is not immune to clickjacking. Malicious actors can exploit the consent screens by embedding them within a transparent iframe, tricking users into clicking unintended buttons.

When a user is tricked into clicking a disguised consent button, the attacker can gain access to sensitive data or perform actions on behalf of the user without their knowledge. This vulnerability poses significant risks, especially when permissions include access to email accounts, contact lists, or financial information. Real-world incidents have shown that unprotected OAuth flows can lead to unauthorized data access, as seen in several high-profile breaches over the past years. These incidents highlight the critical need for securing OAuth implementations.

Mitigation Strategies

Pentestas recommends implementing the X-Frame-Options header with a value of DENY or SAMEORIGIN to prevent framing of OAuth consent screens.

Pentestas takes a proactive approach by conducting thorough assessments of OAuth implementations during our security audits. Our teams analyze application flows, ensuring that all consent screens are protected against clickjacking. We advise developers to implement the Content-Security-Policy header with a frame-ancestors directive to specify allowed origins. These measures, combined with regular security updates and user education, form a robust defense against OAuth consent clickjacking.

Real-World Impacts of Clickjacking

In recent years, we've seen several high-profile cases where clickjacking has been exploited to significant effect. For instance, the 2025 attack on a popular social media platform resulted in unauthorized posts and data exposure, impacting over 5 million users. This attack leveraged hidden iframes and manipulated CSS to trick users into interacting with malicious content unknowingly. Such cases are not isolated, as attackers continue to find innovative ways to exploit vulnerabilities, leaving users and companies vulnerable.

The financial and reputational damage from clickjacking can be devastating. Companies that fall victim to these attacks often face costly remediation processes and potential legal action. In 2024, a financial institution reported losses exceeding $2 million due to fraudulent transactions initiated through clickjacked interfaces. Moreover, the erosion of user trust can lead to a significant drop in user engagement, affecting long-term business viability.

Header set X-Frame-Options "DENY"
# Alternatively, use SAMEORIGIN to allow framing by the same domain
Header set X-Frame-Options "SAMEORIGIN"

User experience can degrade significantly when interfaces are compromised. Imagine navigating a site where every click could lead to unintended actions, such as unauthorized purchases or data sharing. This degradation not only frustrates users but also increases support costs as users seek assistance. Educating users about such threats is crucial. Awareness campaigns and intuitive design can mitigate risks. By integrating security education into the user experience, companies can empower users to identify and avoid potential threats.

Pentestas' Educational Tools

At Pentestas, we offer comprehensive tools that educate clients on clickjacking risks. Our interactive modules simulate real-world scenarios, allowing users to understand potential vulnerabilities and the importance of implementing security measures like the X-Frame-Options header.

Pentestas' Clickjacking Detection Techniques

At Pentestas, we've developed an AI-driven approach to detect clickjacking, leveraging the latest advancements in machine learning and data analysis. Our system continuously scans application interfaces, identifying vulnerable points where clickjacking attacks might occur. By analyzing patterns in user interface behavior, our AI can predict potential exploitation scenarios before they manifest. This proactive stance allows us to provide timely alerts to developers, significantly reducing the risk of clickjacking attacks going unnoticed.

Our detection process relies on a combination of key algorithms and technologies, such as convolutional neural networks (CNNs) and anomaly detection models. These algorithms scrutinize the DOM structure and analyze user interaction patterns to identify suspicious UI overlays. A critical part of our strategy is the use of </code> and <code style="background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;">X-Frame-Options</code> headers to detect and mitigate clickjacking attempts. Our machine learning models are trained on extensive datasets of known attack vectors, ensuring high precision in identifying new threats.</p><div style="background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 12px; padding: 24px; margin: 28px 0;"><h3 style="margin: 0 0 12px 0; font-size: 18px; color: #1e293b;">Integration into Client Environments</h3><p style="margin: 0; color: #475569;">By seamlessly integrating our detection tools within client environments, Pentestas ensures minimal disruption while maximizing security. Our API allows for easy integration with existing CI/CD pipelines, enabling continuous protection without the need for extensive reconfiguration.</p></div><p style="margin: 0 0 18px 0;">Incorporating machine learning has dramatically enhanced our detection accuracy. Our systems learn from each detected incident, refining their algorithms for future threats. This iterative improvement process is vital for adapting to the ever-evolving landscape of cybersecurity threats. To illustrate the effectiveness of our approach, consider our work with a major financial app, where our tools detected a sophisticated clickjacking scheme that bypassed traditional security measures. This case study, among others, underscores the importance of advanced detection techniques in safeguarding applications.</p> <h2 style="color: #1e293b; font-size: 24px; margin-top: 40px;">Engineering Solutions for Clickjacking Prevention</h2><p style="margin: 0 0 18px 0;">Preventing clickjacking requires a robust set of engineering best practices. At the heart of these practices is the implementation of HTTP headers, such as <code style="background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;">X-Frame-Options</code> and <code style="background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;">Content-Security-Policy</code>. These headers prevent your content from being embedded in an iframe by unauthorized domains. An often recommended setting is <code style="background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;">X-Frame-Options: SAMEORIGIN</code>, which allows framing only by pages from the same origin. However, this alone is not a silver bullet, and secure coding practices must be integrated during the development phase.</p><p style="margin: 0 0 18px 0;">Secure coding plays a crucial role in mitigating the risks associated with clickjacking. Developers should rigorously validate input and sanitize output, ensuring that no untrusted content can be framed. Additionally, employing libraries that are regularly updated to handle new vulnerabilities is essential. At Pentestas, we recommend structuring your application to minimize the attack surface by isolating sensitive components and using multi-factor authentication to protect user actions.</p><div style="background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 12px; padding: 24px; margin: 28px 0;"><h3 style="margin: 0 0 12px 0; font-size: 18px; color: #1e293b;">Pentestas' Recommendations</h3><p style="margin: 0; color: #475569;">Deploy a robust Content Security Policy (CSP) and regularly audit your settings. Use automated tools to detect missing headers and vulnerabilities in real-time.</p></div><p style="margin: 0 0 18px 0;">Continuous integration and continuous deployment (CI/CD) pipelines can significantly aid in clickjacking prevention. By integrating security checks into the CI/CD process, we ensure that security headers are correctly configured before code is deployed to production. Automated tools like <a href="https://owasp.org/" rel="noopener noreferrer" target="_blank" style="color: #2563eb; text-decoration: underline; text-decoration-thickness: 1px; text-underline-offset: 2px;">OWASP</a>'s Zed Attack Proxy (ZAP) can be integrated into pipelines to scan for vulnerabilities, providing immediate feedback to developers.</p><p style="margin: 0 0 18px 0;">For developers seeking tools and frameworks to aid in prevention, Pentestas recommends utilizing modern frameworks such as React and Angular, which inherently mitigate many risks associated with clickjacking through their component-based architecture. Additionally, employing tools like Helmet for Node.js can automatically set HTTP headers to secure your applications. By following these practices and leveraging these tools, developers can build resilient applications that stand strong against clickjacking attacks.</p> <h2 style="color: #1e293b; font-size: 24px; margin-top: 40px;">Challenges and Future Directions</h2><p style="margin: 0 0 18px 0;">Current clickjacking prevention techniques, such as the X-Frame-Options header, present significant limitations. Though commonly used, this approach does not offer granularity and lacks support for complex scenarios where legitimate framing is needed. For example, using <code style="background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;">X-Frame-Options: SAMEORIGIN</code> can inadvertently block valid use cases, leading to poor user experience. In contrast, the Content Security Policy (CSP) frame-ancestors directive offers more flexibility, but its adoption is inconsistent across web platforms. As the web evolves, these techniques require refinement to handle more nuanced threat scenarios.</p><p style="margin: 0 0 18px 0;">Emerging threats like UI redressing attacks are pushing the boundaries of traditional clickjacking defenses. These sophisticated techniques can bypass existing solutions, necessitating a rethink of security strategies. Addressing these challenges will require collaboration across the industry to standardize advanced security protocols. Future web security protocols must integrate machine learning models to dynamically detect and respond to these threats in real-time, minimizing potential damage.</p><div style="background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 12px; padding: 24px; margin: 28px 0;"><h3 style="margin: 0 0 12px 0; font-size: 18px; color: #1e293b;">The Path Forward</h3><p style="margin: 0; color: #475569;">Pentestas is committed to evolving its platform by integrating AI-driven analytics to preemptively identify clickjacking attempts. Our roadmap includes enhancing our security API to support customizable policy definitions, giving developers the tools they need to safeguard their applications. By focusing on proactive threat detection, we aim to set a new standard in web security.</p></div><p style="margin: 0 0 18px 0;">As we continue to innovate, we call on developers to prioritize clickjacking prevention in their design and development processes. Employing a defense-in-depth strategy, developers should leverage the capabilities of both existing and emerging security protocols. It is imperative to regularly update and audit security measures, ensuring they align with the latest threat landscape. By doing so, we can collectively mitigate the risks posed by clickjacking and safeguard user interactions across the web.</p> <div style="background: #0f172a; border-radius: 16px; padding: 36px; text-align: center; margin-top: 48px;"> <h2 style="color: #ffffff; margin: 0 0 16px 0; font-size: 22px;">Try it on your stack</h2> <p style="color: #cbd5e1; margin: 0 0 24px 0;">Free tier includes 10 scans/month on a verified domain. No credit card required.</p> <a href="https://app.pentestas.com/" style="display: inline-block; background: #6366f1; color: white; padding: 14px 32px; border-radius: 8px; font-weight: 600; text-decoration: none; font-size: 15px;">Start scanning</a> </div> <div data-seo-pass="2026-05-12" style="margin-top: 40px;"> <h2 style="color: #1e293b; font-size: 22px; margin-top: 40px;">Where Pentestas applies this in the engagement</h2> <p style="margin: 0 0 16px 0;">The pattern above is part of the day-to-day machinery of Pentestas's pentesting-as-a-service workflow. As an AI penetration testing system, the platform feeds every detected primitive through verification, chain orchestration, and evidence-graph weighting before the result lands in the report — the same flow whether the engagement is a quick B2B SaaS pentest before a Series A diligence call, a quarterly compliance run, or a continuous monitoring subscription. Our penetration testing with Claude path powers the analyst-grade narrative; penetration testing with DeepSeek powers the broad-spectrum coverage. Customers pick the routing per scan or per environment.</p> <p style="margin: 0 0 16px 0;">Teams looking at penetration testing with AI typically come to Pentestas after a manual engagement caught five issues and they want continuous coverage for the next four hundred regressions; the platform exists for exactly that gap.</p> </div> </div> <div style="background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 12px; padding: 24px 28px; margin: 40px 0 0;"><div style="font-family: ui-monospace, SFMono-Regular, Menlo, monospace; font-size: 11px; letter-spacing: 0.15em; text-transform: uppercase; color: #6366f1; margin: 0 0 14px 0; font-weight: 700;">Related reading</div><ul style="margin: 0 0 18px 0; padding-left: 20px; list-style: disc; color: #1e293b;"><li style="margin: 0 0 8px 0;"><a href="/blog/sast-taint-source-aware" style="color: #2563eb; text-decoration: none;">Source-Aware SAST: Reading the Code So the Scanner Knows Where to Look</a></li><li style="margin: 0 0 8px 0;"><a href="/blog/mass-assignment-api-pentest" style="color: #2563eb; text-decoration: none;">Mass Assignment: The Vuln Class Most API Tests Miss — and How We Catch It</a></li><li style="margin: 0 0 8px 0;"><a href="/blog/oast-canary-out-of-band-detection" style="color: #2563eb; text-decoration: none;">OAST Canaries: Catching Blind SSRF, Blind XXE, and Blind Command Injection</a></li><li style="margin: 0 0 8px 0;"><a href="/blog/rule-spec-capability-matrix" style="color: #2563eb; text-decoration: none;">RuleSpec: How One Capability Matrix Drives 60+ Vuln Detectors</a></li></ul><div style="border-top: 1px solid #e2e8f0; padding-top: 14px; font-size: 14px;"><span style="color: #64748b;">Run it on your stack: </span><a href="/penetration-testing" style="color: #2563eb; text-decoration: none; font-weight: 600;">Penetration Testing →</a></div></div></div><div class="border-t border-black/[0.07] pt-12 mb-16"><div class="flex items-start gap-6 p-8 bg-gradient-to-br from-white to-blue-50 rounded-2xl border border-black/[0.07]"><img alt="Alexander Sverdlov" loading="lazy" width="400" height="300" decoding="async" data-nimg="1" class="w-20 h-20 rounded-full object-cover shrink-0" style="color:transparent" srcSet="/_next/image?url=%2Fimages%2Fservices%2Falexander-consultant.jpg&w=640&q=75 1x, /_next/image?url=%2Fimages%2Fservices%2Falexander-consultant.jpg&w=828&q=75 2x" src="/_next/image?url=%2Fimages%2Fservices%2Falexander-consultant.jpg&w=828&q=75"/><div><h3 class="font-headline text-xl font-bold mb-2">Alexander Sverdlov</h3><p class="text-on-surface-variant text-sm leading-relaxed">Founder of Pentestas. Author of 2 information security books, cybersecurity speaker at the largest cybersecurity conferences in Asia and a United Nations conference panelist. Former Microsoft security consulting team member, external cybersecurity consultant at the Emirates Nuclear Energy Corporation.</p></div></div></div></article></div></div></main><footer class="bg-ink text-white w-full py-32 px-6 overflow-hidden relative"><div class="absolute inset-0 bg-grid-dark"></div><div class="section-container relative z-10"><div class="grid grid-cols-1 md:grid-cols-2 lg:grid-cols-4 gap-16 mb-24"><div class="col-span-1 lg:col-span-1"><a href="/" class="flex items-center gap-2 group mb-8" aria-label="Pentestas home"><span class="font-headline text-2xl font-extrabold tracking-tight text-white">Pentestas</span></a><p class="text-sm leading-relaxed text-white/40 mb-8">Expert penetration testing for web applications, APIs, cloud infrastructure, mobile apps, and networks. Find vulnerabilities before attackers do.</p><div class="flex gap-3"><a class="w-10 h-10 rounded-xl bg-white/5 border border-white/[0.06] flex items-center justify-center text-white/40 hover:bg-primary hover:text-white hover:border-primary transition-all" href="https://github.com/pentestas" target="_blank" rel="noopener noreferrer" aria-label="GitHub"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-github w-4 h-4" aria-hidden="true"><path d="M15 22v-4a4.8 4.8 0 0 0-1-3.5c3 0 6-2 6-5.5.08-1.25-.27-2.48-1-3.5.28-1.15.28-2.35 0-3.5 0 0-1 0-3 1.5-2.64-.5-5.36-.5-8 0C6 2 5 2 5 2c-.3 1.15-.3 2.35 0 3.5A5.403 5.403 0 0 0 4 9c0 3.5 3 5.5 6 5.5-.39.49-.68 1.05-.85 1.65-.17.6-.22 1.23-.15 1.85v4"></path><path d="M9 18c-4.51 2-5-2-7-2"></path></svg></a><a class="w-10 h-10 rounded-xl bg-white/5 border border-white/[0.06] flex items-center justify-center text-white/40 hover:bg-primary hover:text-white hover:border-primary transition-all" href="https://linkedin.com/company/pentestas" target="_blank" rel="noopener noreferrer" aria-label="LinkedIn"><svg xmlns="http://www.w3.org/2000/svg" width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-linkedin w-4 h-4" aria-hidden="true"><path d="M16 8a6 6 0 0 1 6 6v7h-4v-7a2 2 0 0 0-2-2 2 2 0 0 0-2 2v7h-4v-7a6 6 0 0 1 6-6z"></path><rect width="4" height="12" x="2" y="9"></rect><circle cx="4" cy="4" r="2"></circle></svg></a></div></div><div><h4 class="text-[10px] font-mono font-bold uppercase tracking-[0.2em] text-cyan mb-8">Penetration Testing</h4><ul class="space-y-4"><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/web-penetration-testing">Web App Pentesting</a></li><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/api-penetration-testing">API Pentesting</a></li><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/cloud-penetration-testing">Cloud Pentesting</a></li><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/network-penetration-testing">Network Pentesting</a></li><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/mobile-app-penetration-testing">Mobile App Pentesting</a></li><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/services">All Services</a></li></ul></div><div><h4 class="text-[10px] font-mono font-bold uppercase tracking-[0.2em] text-cyan mb-8">Resources</h4><ul class="space-y-4"><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/blog">Security Blog</a></li><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/success-stories">Success Stories</a></li><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/downloads">Downloads</a></li><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/contact">Contact</a></li></ul></div><div><h4 class="text-[10px] font-mono font-bold uppercase tracking-[0.2em] text-cyan mb-8">Company</h4><ul class="space-y-4"><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/about">About Pentestas</a></li><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/privacy-policy">Privacy Policy</a></li><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/terms-of-use">Terms of Use</a></li><li><a class="text-white/40 hover:text-white transition-colors text-sm" href="/cookie-policy">Cookie Policy</a></li></ul></div></div><div class="pt-8 border-t border-white/[0.06] flex flex-col md:flex-row justify-between items-center gap-6"><p class="text-[10px] font-mono uppercase tracking-widest text-white/25">© 2026 Pentestas. All rights reserved.</p><div class="flex gap-8"><span class="text-[10px] font-mono font-bold uppercase tracking-[0.2em] text-white/15">OWASP</span><span class="text-[10px] font-mono font-bold uppercase tracking-[0.2em] text-white/15">PTES</span><span class="text-[10px] font-mono font-bold uppercase tracking-[0.2em] text-white/15">OSSTMM</span></div></div></div></footer></div><script type="application/ld+json">{"@context":"https://schema.org","@type":"LocalBusiness","name":"Pentestas","url":"https://pentestas.com","description":"Pentestas is a penetration testing company providing expert web, API, cloud, mobile, and network security testing services.","logo":"https://pentestas.com/images/logo.svg","image":"https://pentestas.com/images/og-default.png","telephone":"+1-555-000-0000","email":"info@pentestas.com","address":{"@type":"PostalAddress","streetAddress":"123 Security Blvd","addressLocality":"New York","addressRegion":"NY","postalCode":"10001","addressCountry":"US"},"openingHoursSpecification":[{"@type":"OpeningHoursSpecification","dayOfWeek":["Monday","Tuesday","Wednesday","Thursday","Friday"],"opens":"09:00","closes":"17:00"}],"priceRange":"$$","sameAs":["https://linkedin.com/company/pentestas","https://github.com/pentestas"]}</script><script src="/_next/static/chunks/0m9syolk11nsj.js" id="_R_" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0])</script><script>self.__next_f.push([1,"1:\"$Sreact.fragment\"\n2:I[50488,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\"],\"GoogleAnalytics\"]\n3:I[54858,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\"],\"Nav\"]\n4:I[39756,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\"],\"default\"]\n5:I[37457,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\"],\"default\"]\n6:I[22016,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\"],\"\"]\n14:I[68027,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\"],\"default\",1]\n17:I[22560,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\"],\"CookieConsent\"]\n18:I[79520,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\"],\"\"]\n1a:I[97367,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\"],\"OutletBoundary\"]\n1b:\"$Sreact.suspense\"\n1e:I[97367,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\"],\"ViewportBoundary\"]\n20:I[97367,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\"],\"MetadataBoundary\"]\n22:I[37951,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\",\"/_next/static/chunks/06-mvr5pw9113.js\",\"/_next/static/chunks/0fmiip1w.9tnb.js\"],\"default\"]\n24:I[27201,[\"/_next/static/chunks/015x6cdr2sh-6.js\",\"/_next/static/chunks/045ivsaker_4b.js\"],\"IconMark\"]\n:HL[\"/_next/static/chunks/02y15u~2ywmde.css\",\"style\"]\n:HL[\"/_next/static/chunks/12upilytbtgi1.css\",\"style\"]\n:HL[\"/_next/static/media/051742360c26797e-s.p.0f97p8c3305p~.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n:HL[\"/_next/static/media/6bd983bd58a87a3d-s.p.0h108oidc_0fm.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n:HL[\"/_next/static/media/9e9f04e3c37952ab-s.p.07uvnuj.ona6k.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n:HL[\"/_next/static/media/f06bf9da926bae75-s.p.0pz0x0eczp58u.woff2\",\"font\",{\"crossOrigin\":\"\",\"type\":\"font/woff2\"}]\n"])</script><script>self.__next_f.push([1,"0:{\"P\":null,\"c\":[\"\",\"blog\",\"clickjacking-modern-2026\"],\"q\":\"\",\"i\":false,\"f\":[[[\"\",{\"children\":[\"blog\",{\"children\":[[\"slug\",\"clickjacking-modern-2026\",\"d\",null],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",16],[[\"$\",\"$1\",\"c\",{\"children\":[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/02y15u~2ywmde.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/12upilytbtgi1.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/015x6cdr2sh-6.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/045ivsaker_4b.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"html\",null,{\"lang\":\"en\",\"className\":\"anton_c233a811-module__aBzvga__variable sora_ccb705b5-module__Q6BXgW__variable instrument_sans_d2e7a473-module___IVE7a__variable jetbrains_mono_ef56869-module__fcgVTG__variable\",\"children\":[[\"$\",\"head\",null,{\"children\":[[\"$\",\"link\",null,{\"rel\":\"alternate\",\"type\":\"text/plain\",\"href\":\"/llms.txt\",\"title\":\"LLM context\"}],[\"$\",\"link\",null,{\"rel\":\"alternate\",\"type\":\"text/plain\",\"href\":\"/llms-full.txt\",\"title\":\"LLM full context\"}]]}],[\"$\",\"body\",null,{\"className\":\"font-body text-on-surface bg-surface antialiased\",\"children\":[[\"$\",\"$L2\",null,{}],[\"$\",\"div\",null,{\"className\":\"min-h-screen flex flex-col\",\"children\":[[\"$\",\"$L3\",null,{}],[\"$\",\"main\",null,{\"className\":\"flex-grow\",\"children\":[\"$\",\"$L4\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L5\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":[[\"$\",\"div\",null,{\"className\":\"min-h-[80vh] flex items-center justify-center bg-surface px-6\",\"children\":[\"$\",\"div\",null,{\"className\":\"text-center max-w-xl\",\"children\":[[\"$\",\"div\",null,{\"className\":\"mb-8 relative\",\"children\":[[\"$\",\"span\",null,{\"className\":\"text-[12rem] md:text-[16rem] font-headline font-black text-primary/[0.07] leading-none select-none block\",\"children\":\"404\"}],[\"$\",\"div\",null,{\"className\":\"absolute inset-0 flex items-center justify-center\",\"children\":[\"$\",\"span\",null,{\"className\":\"text-6xl\",\"children\":\"🕵️\"}]}]]}],[\"$\",\"h1\",null,{\"className\":\"font-headline text-3xl md:text-4xl font-bold tracking-tight mb-4\",\"children\":[\"This page has been \",[\"$\",\"span\",null,{\"className\":\"text-primary\",\"children\":\"secured\"}],\" a bit too well.\"]}],[\"$\",\"p\",null,{\"className\":\"text-on-surface-variant text-lg leading-relaxed mb-4\",\"children\":\"Even our penetration testers couldn't find it.\"}],[\"$\",\"p\",null,{\"className\":\"text-on-surface-variant/60 text-sm mb-10\",\"children\":\"If you were looking for something specific, it may have moved. Or maybe it never existed - in which case, great instincts for probing unknown endpoints.\"}],[\"$\",\"div\",null,{\"className\":\"flex flex-col sm:flex-row gap-4 justify-center\",\"children\":[[\"$\",\"$L6\",null,{\"href\":\"/services\",\"className\":\"inline-flex items-center justify-center gap-2 bg-primary text-white rounded-xl px-8 py-3.5 font-semibold hover:brightness-110 transition-all shadow-lg shadow-primary/20\",\"children\":\"Explore Our Services\"}],[\"$\",\"$L6\",null,{\"href\":\"/\",\"className\":\"inline-flex items-center justify-center gap-2 bg-ink text-white rounded-xl px-8 py-3.5 font-semibold hover:bg-ink/90 transition-all\",\"children\":\"Back to Home\"}]]}]]}]}],[]],\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]}],[\"$\",\"footer\",null,{\"className\":\"bg-ink text-white w-full py-32 px-6 overflow-hidden relative\",\"children\":[[\"$\",\"div\",null,{\"className\":\"absolute inset-0 bg-grid-dark\"}],[\"$\",\"div\",null,{\"className\":\"section-container relative z-10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid grid-cols-1 md:grid-cols-2 lg:grid-cols-4 gap-16 mb-24\",\"children\":[[\"$\",\"div\",null,{\"className\":\"col-span-1 lg:col-span-1\",\"children\":[[\"$\",\"a\",null,{\"href\":\"/\",\"className\":\"flex items-center gap-2 group mb-8\",\"aria-label\":\"Pentestas home\",\"children\":[\"$\",\"span\",null,{\"className\":\"font-headline text-2xl font-extrabold tracking-tight text-white\",\"children\":\"Pentestas\"}]}],[\"$\",\"p\",null,{\"className\":\"text-sm leading-relaxed text-white/40 mb-8\",\"children\":\"Expert penetration testing for web applications, APIs, cloud infrastructure, mobile apps, and networks. Find vulnerabilities before attackers do.\"}],\"$L7\"]}],\"$L8\",\"$L9\",\"$La\"]}],\"$Lb\"]}]]}],\"$Lc\"]}],\"$Ld\",\"$Le\"]}]]}]]}],{\"children\":[\"$Lf\",{\"children\":[\"$L10\",{\"children\":[\"$L11\",{},null,false,null]},null,false,\"$@12\"]},null,false,\"$@12\"]},null,false,null],\"$L13\",false]],\"m\":\"$undefined\",\"G\":[\"$14\",[\"$L15\",\"$L16\"]],\"S\":false,\"h\":null,\"s\":\"$undefined\",\"l\":\"$undefined\",\"p\":\"$undefined\",\"d\":\"$undefined\",\"b\":\"XAFCBVOLm76d_Qio0Nuax\"}\n"])</script><script>self.__next_f.push([1,"7:[\"$\",\"div\",null,{\"className\":\"flex gap-3\",\"children\":[[\"$\",\"a\",null,{\"className\":\"w-10 h-10 rounded-xl bg-white/5 border border-white/[0.06] flex items-center justify-center text-white/40 hover:bg-primary hover:text-white hover:border-primary transition-all\",\"href\":\"https://github.com/pentestas\",\"target\":\"_blank\",\"rel\":\"noopener noreferrer\",\"aria-label\":\"GitHub\",\"children\":[\"$\",\"svg\",null,{\"ref\":\"$undefined\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":24,\"height\":24,\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":2,\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"className\":\"lucide lucide-github w-4 h-4\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"path\",\"tonef\",{\"d\":\"M15 22v-4a4.8 4.8 0 0 0-1-3.5c3 0 6-2 6-5.5.08-1.25-.27-2.48-1-3.5.28-1.15.28-2.35 0-3.5 0 0-1 0-3 1.5-2.64-.5-5.36-.5-8 0C6 2 5 2 5 2c-.3 1.15-.3 2.35 0 3.5A5.403 5.403 0 0 0 4 9c0 3.5 3 5.5 6 5.5-.39.49-.68 1.05-.85 1.65-.17.6-.22 1.23-.15 1.85v4\"}],[\"$\",\"path\",\"9comsn\",{\"d\":\"M9 18c-4.51 2-5-2-7-2\"}],\"$undefined\"]}]}],[\"$\",\"a\",null,{\"className\":\"w-10 h-10 rounded-xl bg-white/5 border border-white/[0.06] flex items-center justify-center text-white/40 hover:bg-primary hover:text-white hover:border-primary transition-all\",\"href\":\"https://linkedin.com/company/pentestas\",\"target\":\"_blank\",\"rel\":\"noopener noreferrer\",\"aria-label\":\"LinkedIn\",\"children\":[\"$\",\"svg\",null,{\"ref\":\"$undefined\",\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":24,\"height\":24,\"viewBox\":\"0 0 24 24\",\"fill\":\"none\",\"stroke\":\"currentColor\",\"strokeWidth\":2,\"strokeLinecap\":\"round\",\"strokeLinejoin\":\"round\",\"className\":\"lucide lucide-linkedin w-4 h-4\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"path\",\"c2jq9f\",{\"d\":\"M16 8a6 6 0 0 1 6 6v7h-4v-7a2 2 0 0 0-2-2 2 2 0 0 0-2 2v7h-4v-7a6 6 0 0 1 6-6z\"}],[\"$\",\"rect\",\"mk3on5\",{\"width\":\"4\",\"height\":\"12\",\"x\":\"2\",\"y\":\"9\"}],[\"$\",\"circle\",\"bt5ra8\",{\"cx\":\"4\",\"cy\":\"4\",\"r\":\"2\"}],\"$undefined\"]}]}]]}]\n"])</script><script>self.__next_f.push([1,"8:[\"$\",\"div\",null,{\"children\":[[\"$\",\"h4\",null,{\"className\":\"text-[10px] font-mono font-bold uppercase tracking-[0.2em] text-cyan mb-8\",\"children\":\"Penetration Testing\"}],[\"$\",\"ul\",null,{\"className\":\"space-y-4\",\"children\":[[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/web-penetration-testing\",\"children\":\"Web App Pentesting\"}]}],[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/api-penetration-testing\",\"children\":\"API Pentesting\"}]}],[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/cloud-penetration-testing\",\"children\":\"Cloud Pentesting\"}]}],[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/network-penetration-testing\",\"children\":\"Network Pentesting\"}]}],[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/mobile-app-penetration-testing\",\"children\":\"Mobile App Pentesting\"}]}],[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/services\",\"children\":\"All Services\"}]}]]}]]}]\n9:[\"$\",\"div\",null,{\"children\":[[\"$\",\"h4\",null,{\"className\":\"text-[10px] font-mono font-bold uppercase tracking-[0.2em] text-cyan mb-8\",\"children\":\"Resources\"}],[\"$\",\"ul\",null,{\"className\":\"space-y-4\",\"children\":[[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/blog\",\"children\":\"Security Blog\"}]}],[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/success-stories\",\"children\":\"Success Stories\"}]}],[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/downloads\",\"children\":\"Downloads\"}]}],[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/contact\",\"children\":\"Contact\"}]}]]}]]}]\na:[\"$\",\"div\",null,{\"children\":[[\"$\",\"h4\",null,{\"className\":\"text-[10px] font-mono font-bold uppercase tracking-[0.2em] text-cyan mb-8\",\"children\":\"Company\"}],[\"$\",\"ul\",null,{\"className\":\"space-y-4\",\"children\":[[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/about\",\"children\":\"About Pentestas\"}]}],[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/privacy-policy\",\"children\":\"Privacy Policy\"}]}],[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/terms-of-use\",\"children\":\"Terms of Use\"}]}],[\"$\",\"li\",null,{\"children\":[\"$\",\"$L6\",null,{\"className\":\"text-white/40 hover:text-white transition-colors text-sm\",\"href\":\"/cookie-policy\",\"children\":\"Cookie Policy\"}]}]]}]]}]\nb:[\"$\",\"div\",null,{\"className\":\"pt-8 border-t border-white/[0.06] flex flex-col md:flex-row justify-between items-center gap-6\",\"children\":[[\"$\",\"p\",null,{\"className\":\"text-[10px] font-mono uppercase tracking-widest text-white/25\",\"children\":\"© 2026 Pentestas. All rights reserved.\"}],[\"$\",\"div\",null,{\"className\":\"flex gap-8\",\"children\":[[\"$\",\"span\",null,{\"className\":\"text-[10px] font-mono font-bold uppercase tracking-[0.2em] text-white/15\",\"children\":\"OWASP\"}],[\"$\",\"span\",null,{\"className\":\"text-[10px] font-mono font-bold uppercase tracking-[0.2em] text-white/15\",\"children\":\"PTES\"}],[\"$\",\"span\",null,{\"className\":\"text-[10px] font-mono font-bold uppercase tracking-[0.2em] text-white/15\",\"children\":\"OSSTMM\"}]]}]]}]\nc:[\"$\",\"$L17\",null,{}]\nd:[\"$\",\"script\",null,{\"type\":\"application/ld+json\",\"dangerouslySetInnerHTML\":{\"__html\":\"{\\\"@context\\\":\\\"https://schema.org\\\",\\\"@type\\\":\\\"LocalBusiness\\\",\\\"name\\\":\\\"Pentestas\\\",\\\"url\\\":\\\"https://pentestas.com\\\",\\\"description\\\":\\\"Pentestas is a penetration test"])</script><script>self.__next_f.push([1,"ing company providing expert web, API, cloud, mobile, and network security testing services.\\\",\\\"logo\\\":\\\"https://pentestas.com/images/logo.svg\\\",\\\"image\\\":\\\"https://pentestas.com/images/og-default.png\\\",\\\"telephone\\\":\\\"+1-555-000-0000\\\",\\\"email\\\":\\\"info@pentestas.com\\\",\\\"address\\\":{\\\"@type\\\":\\\"PostalAddress\\\",\\\"streetAddress\\\":\\\"123 Security Blvd\\\",\\\"addressLocality\\\":\\\"New York\\\",\\\"addressRegion\\\":\\\"NY\\\",\\\"postalCode\\\":\\\"10001\\\",\\\"addressCountry\\\":\\\"US\\\"},\\\"openingHoursSpecification\\\":[{\\\"@type\\\":\\\"OpeningHoursSpecification\\\",\\\"dayOfWeek\\\":[\\\"Monday\\\",\\\"Tuesday\\\",\\\"Wednesday\\\",\\\"Thursday\\\",\\\"Friday\\\"],\\\"opens\\\":\\\"09:00\\\",\\\"closes\\\":\\\"17:00\\\"}],\\\"priceRange\\\":\\\"$$\\\",\\\"sameAs\\\":[\\\"https://linkedin.com/company/pentestas\\\",\\\"https://github.com/pentestas\\\"]}\"}}]\ne:[\"$\",\"$L18\",null,{\"id\":\"microsoft-clarity\",\"strategy\":\"afterInteractive\",\"children\":\"(function(c,l,a,r,i,t,y){c[a]=c[a]||function(){(c[a].q=c[a].q||[]).push(arguments)};t=l.createElement(r);t.async=1;t.src=\\\"https://www.clarity.ms/tag/\\\"+i;y=l.getElementsByTagName(r)[0];y.parentNode.insertBefore(t,y);})(window, document, \\\"clarity\\\", \\\"script\\\", \\\"xxxxxxxxxx\\\");\"}]\nf:[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L4\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L5\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}]\n10:[\"$\",\"$1\",\"c\",{\"children\":[null,[\"$\",\"$L4\",null,{\"parallelRouterKey\":\"children\",\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L5\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"forbidden\":\"$undefined\",\"unauthorized\":\"$undefined\"}]]}]\n11:[\"$\",\"$1\",\"c\",{\"children\":[\"$L19\",[[\"$\",\"script\",\"script-0\",{\"src\":\"/_next/static/chunks/06-mvr5pw9113.js\",\"async\":true,\"nonce\":\"$undefined\"}],[\"$\",\"script\",\"script-1\",{\"src\":\"/_next/static/chunks/0fmiip1w.9tnb.js\",\"async\":true,\"nonce\":\"$undefined\"}]],[\"$\",\"$L1a\",null,{\"children\":[\"$\",\"$1b\",null,{\"name\":\"Next.MetadataOutlet\",\"children\":\"$@1c\"}]}]]}]\n1d:[]\n12:\"$W1d\"\n13:[\"$\",\"$1\",\"h\",{\"children\":[null,[\"$\",\"$L1e\",null,{\"children\":\"$L1f\"}],[\"$\",\"div\",null,{\"hidden\":true,\"children\":[\"$\",\"$L20\",null,{\"children\":[\"$\",\"$1b\",null,{\"name\":\"Next.Metadata\",\"children\":\"$L21\"}]}]}],[\"$\",\"meta\",null,{\"name\":\"next-size-adjust\",\"content\":\"\"}]]}]\n15:[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/02y15u~2ywmde.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}]\n16:[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/chunks/12upilytbtgi1.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\",\"nonce\":\"$undefined\"}]\n23:T7372,"])</script><script>self.__next_f.push([1,"\u003cdiv style=\"max-width: 820px; margin: 0 auto; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, sans-serif; color: #1e293b; line-height: 1.7;\"\u003e\n \u003cdiv style=\"background: linear-gradient(135deg, #0f172a 0%, #1e293b 50%, #312e81 100%); border-radius: 16px; padding: 48px 40px; margin-bottom: 40px; color: white; position: relative; overflow: hidden;\"\u003e\n \u003cdiv style=\"font-family: ui-monospace, SFMono-Regular, Menlo, monospace; font-size: 11px; letter-spacing: 0.15em; text-transform: uppercase; color: #60a5fa; margin: 0 0 14px 0; font-weight: 700;\"\u003eTL;DR \u0026middot; Key insight\u003c/div\u003e\u003cp style=\"color: #cbd5e1; margin: 0; font-size: 17px; max-width: 640px;\"\u003eDespite advancements in security protocols, clickjacking remains a prevalent threat in 2026. Learn how modern applications still fall prey to this vulnerability and how Pentestas addresses it effectively.\u003c/p\u003e\n \u003c/div\u003e\n\u003ch2 style=\"color: #1e293b; font-size: 24px; margin-top: 40px;\"\u003eIntroduction to Clickjacking in 2026\u003c/h2\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eClickjacking, often referred to as a \"UI redress attack,\" is a technique where attackers trick users into clicking on a different element than they perceive. Despite being identified over a decade ago, it remains a prevalent threat in web security. In clickjacking, an attacker overlays a malicious page on a legitimate one, enticing users to perform unintended actions like changing settings or initiating transactions. As web applications continue to evolve, the complexity and subtlety of such attacks have also increased, keeping clickjacking relevant in today's security landscape.\u003c/p\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eHistorically, clickjacking emerged as a significant threat in the early 2010s, with attackers exploiting iframe-based overlays. Over time, the security community has developed several countermeasures, including the use of the \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options\u003c/code\u003e HTTP header and the Content Security Policy's \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eframe-ancestors\u003c/code\u003e directive. However, as websites grow more interactive and complex, attackers continue to find new ways to circumvent these protections, keeping the battle against clickjacking ongoing.\u003c/p\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eThe persistence of clickjacking, despite advancements in security, can be attributed to several factors. First, the sheer diversity of web applications, each with its unique architecture and security posture, creates a wide array of potential attack vectors. Additionally, the human factor—such as user awareness and the frequent neglect of security headers by developers—contributes significantly to the prevalence of clickjacking. Common vectors today include compromised ad networks and malicious third-party widgets, which can surreptitiously introduce clickjacking vulnerabilities into otherwise secure websites.\u003c/p\u003e\u003cdiv style=\"background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 12px; padding: 24px; margin: 28px 0;\"\u003e\u003ch3 style=\"margin: 0 0 12px 0; font-size: 18px; color: #1e293b;\"\u003ePentestas' Approach to Clickjacking\u003c/h3\u003e\u003cp style=\"margin: 0; color: #475569;\"\u003eAt Pentestas, we employ a combination of automated tools and manual testing to identify clickjacking threats. Our platform analyzes the implementation of security headers and tests the resilience of web applications against iframe-based attacks. By simulating various attack scenarios, we help organizations fortify their applications against these insidious threats.\u003c/p\u003e\u003c/div\u003e\n\u003ch2 style=\"color: #1e293b; font-size: 24px; margin-top: 40px;\"\u003eThe Limitations of X-Frame-Options\u003c/h2\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eThe \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options\u003c/code\u003e header was introduced to prevent clickjacking by controlling whether a browser should render a page in a \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003e\u0026lt;frame\u0026gt;\u003c/code\u003e, \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003e\u0026lt;iframe\u0026gt;\u003c/code\u003e, or \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003e\u0026lt;object\u0026gt;\u003c/code\u003e. It can be set to \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eDENY\u003c/code\u003e, \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eSAMEORIGIN\u003c/code\u003e, or \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eALLOW-FROM\u003c/code\u003e, each dictating different levels of framing permissibility. Despite its straightforward concept, incorrect configurations are commonplace, leading to vulnerabilities.\u003c/p\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eOne common mistake is setting \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options\u003c/code\u003e to \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eALLOW-FROM\u003c/code\u003e with a non-existent domain. Even though it seems like a cautious approach, it can lead to browser inconsistencies. Some browsers may ignore the header altogether, leaving the application vulnerable. Attackers exploit these lapses by using modern techniques such as exploiting the browser's quirks or leveraging JavaScript to manipulate the DOM.\u003c/p\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eA notable case study involved a finance application that had implemented \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options: SAMEORIGIN\u003c/code\u003e. Yet, an attacker was able to bypass this by utilizing a legacy system that was part of the same origin but wasn’t intended to be publicly accessible. The attacker framed the legacy interface within an invisible iframe, leading users to unknowingly execute transactions.\u003c/p\u003e\u003cpre style=\"background: #0f172a; color: #e2e8f0; padding: 18px; border-radius: 8px; overflow-x: auto; font-size: 14px; line-height: 1.5; font-family: 'JetBrains Mono', Consolas, monospace; margin: 18px 0;\"\u003e\u003ccode\u003eHeader set X-Frame-Options \"ALLOW-FROM https://trusted.com\"\n\n# This configuration is often misused by setting an incorrect domain.\n# Browsers like Chrome may ignore the header if the domain is not valid.\u003c/code\u003e\u003c/pre\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eAt Pentestas, our approach to identifying these misconfigurations involves simulating potential attack vectors that exploit inadequate use of \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options\u003c/code\u003e. We analyze response headers and test access across various origins to ensure that no unintended data leakage occurs. By conducting thorough penetration tests, we help applications stay one step ahead of attackers who aim to exploit these vulnerabilities.\u003c/p\u003e\n\u003ch2 style=\"color: #1e293b; font-size: 24px; margin-top: 40px;\"\u003eCSP Frame-Ancestors: The Modern Solution?\u003c/h2\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eThe introduction of Content Security Policy (CSP) has been a game-changer for web security, allowing developers to define which sources can load content on their sites. A key directive within CSP is \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eframe-ancestors\u003c/code\u003e, which specifies valid parent sources that may embed a page. This directive is crucial in preventing clickjacking attacks, where attackers load your site in an invisible iframe to steal clicks. Compared to the older \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options\u003c/code\u003e, \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eframe-ancestors\u003c/code\u003e offers more flexibility and broader browser support.\u003c/p\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eOne of the primary advantages of using CSP \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eframe-ancestors\u003c/code\u003e over \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options\u003c/code\u003e is its ability to specify multiple domains, offering fine-grained control over who can embed your site. This is particularly useful in complex web applications where content needs to be shared across multiple trusted domains. Additionally, while \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options\u003c/code\u003e only supports DENY or SAMEORIGIN, \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eframe-ancestors\u003c/code\u003e can whitelist specific origins, offering greater precision in security policies.\u003c/p\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eDespite its advantages, implementing \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eframe-ancestors\u003c/code\u003e can be challenging. Developers often face complexities in maintaining a comprehensive list of trusted domains, especially in environments where third-party services are frequently integrated. There is also the risk of inadvertently blocking legitimate content if the policy is too restrictive. At Pentestas, we recommend a phased approach where \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eframe-ancestors\u003c/code\u003e policies are first tested in report-only mode to gather insights without impacting user experience.\u003c/p\u003e\u003cpre style=\"background: #0f172a; color: #e2e8f0; padding: 18px; border-radius: 8px; overflow-x: auto; font-size: 14px; line-height: 1.5; font-family: 'JetBrains Mono', Consolas, monospace; margin: 18px 0;\"\u003e\u003ccode\u003eContent-Security-Policy: frame-ancestors 'self' https://trusted.partner.com;\u003c/code\u003e\u003c/pre\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eIn comparing CSP to traditional frame-based security measures, it's clear that CSP offers a more robust and flexible solution. While \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options\u003c/code\u003e remains a viable option for simple scenarios, the \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eframe-ancestors\u003c/code\u003e directive is better suited for complex applications requiring nuanced control. Our implementation strategy at Pentestas involves actively monitoring and updating CSP policies to adapt to changing security requirements, ensuring our clients' applications remain secure from evolving threats.\u003c/p\u003e\n\u003ch2 style=\"color: #1e293b; font-size: 24px; margin-top: 40px;\"\u003eOAuth Consent Clickjacking: A Rising Concern\u003c/h2\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eOAuth 2.0 is a widely adopted framework that provides applications the ability to secure designated access to user data. It is the backbone of many web services that require authentication and authorization, such as Google, Facebook, and GitHub. OAuth’s consent flow allows users to grant third-party applications specific permissions without sharing their credentials. However, this process is not immune to clickjacking. Malicious actors can exploit the consent screens by embedding them within a transparent iframe, tricking users into clicking unintended buttons.\u003c/p\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eWhen a user is tricked into clicking a disguised consent button, the attacker can gain access to sensitive data or perform actions on behalf of the user without their knowledge. This vulnerability poses significant risks, especially when permissions include access to email accounts, contact lists, or financial information. Real-world incidents have shown that unprotected OAuth flows can lead to unauthorized data access, as seen in several high-profile breaches over the past years. These incidents highlight the critical need for securing OAuth implementations.\u003c/p\u003e\u003cdiv style=\"background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 12px; padding: 24px; margin: 28px 0;\"\u003e\u003ch3 style=\"margin: 0 0 12px 0; font-size: 18px; color: #1e293b;\"\u003eMitigation Strategies\u003c/h3\u003e\u003cp style=\"margin: 0; color: #475569;\"\u003ePentestas recommends implementing the \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options\u003c/code\u003e header with a value of \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eDENY\u003c/code\u003e or \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eSAMEORIGIN\u003c/code\u003e to prevent framing of OAuth consent screens.\u003c/p\u003e\u003c/div\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003ePentestas takes a proactive approach by conducting thorough assessments of OAuth implementations during our security audits. Our teams analyze application flows, ensuring that all consent screens are protected against clickjacking. We advise developers to implement the \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eContent-Security-Policy\u003c/code\u003e header with a \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eframe-ancestors\u003c/code\u003e directive to specify allowed origins. These measures, combined with regular security updates and user education, form a robust defense against OAuth consent clickjacking.\u003c/p\u003e\n\u003ch2 style=\"color: #1e293b; font-size: 24px; margin-top: 40px;\"\u003eReal-World Impacts of Clickjacking\u003c/h2\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eIn recent years, we've seen several high-profile cases where clickjacking has been exploited to significant effect. For instance, the 2025 attack on a popular social media platform resulted in unauthorized posts and data exposure, impacting over 5 million users. This attack leveraged hidden iframes and manipulated CSS to trick users into interacting with malicious content unknowingly. Such cases are not isolated, as attackers continue to find innovative ways to exploit vulnerabilities, leaving users and companies vulnerable.\u003c/p\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eThe financial and reputational damage from clickjacking can be devastating. Companies that fall victim to these attacks often face costly remediation processes and potential legal action. In 2024, a financial institution reported losses exceeding $2 million due to fraudulent transactions initiated through clickjacked interfaces. Moreover, the erosion of user trust can lead to a significant drop in user engagement, affecting long-term business viability.\u003c/p\u003e\u003cpre style=\"background: #0f172a; color: #e2e8f0; padding: 18px; border-radius: 8px; overflow-x: auto; font-size: 14px; line-height: 1.5; font-family: 'JetBrains Mono', Consolas, monospace; margin: 18px 0;\"\u003e\u003ccode\u003eHeader set X-Frame-Options \"DENY\"\n# Alternatively, use SAMEORIGIN to allow framing by the same domain\nHeader set X-Frame-Options \"SAMEORIGIN\"\u003c/code\u003e\u003c/pre\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eUser experience can degrade significantly when interfaces are compromised. Imagine navigating a site where every click could lead to unintended actions, such as unauthorized purchases or data sharing. This degradation not only frustrates users but also increases support costs as users seek assistance. Educating users about such threats is crucial. Awareness campaigns and intuitive design can mitigate risks. By integrating security education into the user experience, companies can empower users to identify and avoid potential threats.\u003c/p\u003e\u003cdiv style=\"background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 12px; padding: 24px; margin: 28px 0;\"\u003e\u003ch3 style=\"margin: 0 0 12px 0; font-size: 18px; color: #1e293b;\"\u003ePentestas' Educational Tools\u003c/h3\u003e\u003cp style=\"margin: 0; color: #475569;\"\u003eAt Pentestas, we offer comprehensive tools that educate clients on clickjacking risks. Our interactive modules simulate real-world scenarios, allowing users to understand potential vulnerabilities and the importance of implementing security measures like the X-Frame-Options header.\u003c/p\u003e\u003c/div\u003e\n\u003ch2 style=\"color: #1e293b; font-size: 24px; margin-top: 40px;\"\u003ePentestas' Clickjacking Detection Techniques\u003c/h2\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eAt Pentestas, we've developed an AI-driven approach to detect clickjacking, leveraging the latest advancements in machine learning and data analysis. Our system continuously scans application interfaces, identifying vulnerable points where clickjacking attacks might occur. By analyzing patterns in user interface behavior, our AI can predict potential exploitation scenarios before they manifest. This proactive stance allows us to provide timely alerts to developers, significantly reducing the risk of clickjacking attacks going unnoticed.\u003c/p\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eOur detection process relies on a combination of key algorithms and technologies, such as convolutional neural networks (CNNs) and anomaly detection models. These algorithms scrutinize the DOM structure and analyze user interaction patterns to identify suspicious UI overlays. A critical part of our strategy is the use of \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003e\u003ciframe\u003e\u003c/code\u003e and \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options\u003c/code\u003e headers to detect and mitigate clickjacking attempts. Our machine learning models are trained on extensive datasets of known attack vectors, ensuring high precision in identifying new threats.\u003c/p\u003e\u003cdiv style=\"background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 12px; padding: 24px; margin: 28px 0;\"\u003e\u003ch3 style=\"margin: 0 0 12px 0; font-size: 18px; color: #1e293b;\"\u003eIntegration into Client Environments\u003c/h3\u003e\u003cp style=\"margin: 0; color: #475569;\"\u003eBy seamlessly integrating our detection tools within client environments, Pentestas ensures minimal disruption while maximizing security. Our API allows for easy integration with existing CI/CD pipelines, enabling continuous protection without the need for extensive reconfiguration.\u003c/p\u003e\u003c/div\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eIncorporating machine learning has dramatically enhanced our detection accuracy. Our systems learn from each detected incident, refining their algorithms for future threats. This iterative improvement process is vital for adapting to the ever-evolving landscape of cybersecurity threats. To illustrate the effectiveness of our approach, consider our work with a major financial app, where our tools detected a sophisticated clickjacking scheme that bypassed traditional security measures. This case study, among others, underscores the importance of advanced detection techniques in safeguarding applications.\u003c/p\u003e\n\u003ch2 style=\"color: #1e293b; font-size: 24px; margin-top: 40px;\"\u003eEngineering Solutions for Clickjacking Prevention\u003c/h2\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003ePreventing clickjacking requires a robust set of engineering best practices. At the heart of these practices is the implementation of HTTP headers, such as \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options\u003c/code\u003e and \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eContent-Security-Policy\u003c/code\u003e. These headers prevent your content from being embedded in an iframe by unauthorized domains. An often recommended setting is \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options: SAMEORIGIN\u003c/code\u003e, which allows framing only by pages from the same origin. However, this alone is not a silver bullet, and secure coding practices must be integrated during the development phase.\u003c/p\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eSecure coding plays a crucial role in mitigating the risks associated with clickjacking. Developers should rigorously validate input and sanitize output, ensuring that no untrusted content can be framed. Additionally, employing libraries that are regularly updated to handle new vulnerabilities is essential. At Pentestas, we recommend structuring your application to minimize the attack surface by isolating sensitive components and using multi-factor authentication to protect user actions.\u003c/p\u003e\u003cdiv style=\"background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 12px; padding: 24px; margin: 28px 0;\"\u003e\u003ch3 style=\"margin: 0 0 12px 0; font-size: 18px; color: #1e293b;\"\u003ePentestas' Recommendations\u003c/h3\u003e\u003cp style=\"margin: 0; color: #475569;\"\u003eDeploy a robust Content Security Policy (CSP) and regularly audit your settings. Use automated tools to detect missing headers and vulnerabilities in real-time.\u003c/p\u003e\u003c/div\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eContinuous integration and continuous deployment (CI/CD) pipelines can significantly aid in clickjacking prevention. By integrating security checks into the CI/CD process, we ensure that security headers are correctly configured before code is deployed to production. Automated tools like \u003ca href=\"https://owasp.org/\" rel=\"noopener noreferrer\" target=\"_blank\" style=\"color: #2563eb; text-decoration: underline; text-decoration-thickness: 1px; text-underline-offset: 2px;\"\u003eOWASP\u003c/a\u003e's Zed Attack Proxy (ZAP) can be integrated into pipelines to scan for vulnerabilities, providing immediate feedback to developers.\u003c/p\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eFor developers seeking tools and frameworks to aid in prevention, Pentestas recommends utilizing modern frameworks such as React and Angular, which inherently mitigate many risks associated with clickjacking through their component-based architecture. Additionally, employing tools like Helmet for Node.js can automatically set HTTP headers to secure your applications. By following these practices and leveraging these tools, developers can build resilient applications that stand strong against clickjacking attacks.\u003c/p\u003e\n\u003ch2 style=\"color: #1e293b; font-size: 24px; margin-top: 40px;\"\u003eChallenges and Future Directions\u003c/h2\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eCurrent clickjacking prevention techniques, such as the X-Frame-Options header, present significant limitations. Though commonly used, this approach does not offer granularity and lacks support for complex scenarios where legitimate framing is needed. For example, using \u003ccode style=\"background: #f1f5f9; color: #be123c; padding: 1px 6px; border-radius: 4px; font-size: 13px; font-family: 'JetBrains Mono', monospace;\"\u003eX-Frame-Options: SAMEORIGIN\u003c/code\u003e can inadvertently block valid use cases, leading to poor user experience. In contrast, the Content Security Policy (CSP) frame-ancestors directive offers more flexibility, but its adoption is inconsistent across web platforms. As the web evolves, these techniques require refinement to handle more nuanced threat scenarios.\u003c/p\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eEmerging threats like UI redressing attacks are pushing the boundaries of traditional clickjacking defenses. These sophisticated techniques can bypass existing solutions, necessitating a rethink of security strategies. Addressing these challenges will require collaboration across the industry to standardize advanced security protocols. Future web security protocols must integrate machine learning models to dynamically detect and respond to these threats in real-time, minimizing potential damage.\u003c/p\u003e\u003cdiv style=\"background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 12px; padding: 24px; margin: 28px 0;\"\u003e\u003ch3 style=\"margin: 0 0 12px 0; font-size: 18px; color: #1e293b;\"\u003eThe Path Forward\u003c/h3\u003e\u003cp style=\"margin: 0; color: #475569;\"\u003ePentestas is committed to evolving its platform by integrating AI-driven analytics to preemptively identify clickjacking attempts. Our roadmap includes enhancing our security API to support customizable policy definitions, giving developers the tools they need to safeguard their applications. By focusing on proactive threat detection, we aim to set a new standard in web security.\u003c/p\u003e\u003c/div\u003e\u003cp style=\"margin: 0 0 18px 0;\"\u003eAs we continue to innovate, we call on developers to prioritize clickjacking prevention in their design and development processes. Employing a defense-in-depth strategy, developers should leverage the capabilities of both existing and emerging security protocols. It is imperative to regularly update and audit security measures, ensuring they align with the latest threat landscape. By doing so, we can collectively mitigate the risks posed by clickjacking and safeguard user interactions across the web.\u003c/p\u003e\n\u003cdiv style=\"background: #0f172a; border-radius: 16px; padding: 36px; text-align: center; margin-top: 48px;\"\u003e\n \u003ch2 style=\"color: #ffffff; margin: 0 0 16px 0; font-size: 22px;\"\u003eTry it on your stack\u003c/h2\u003e\n \u003cp style=\"color: #cbd5e1; margin: 0 0 24px 0;\"\u003eFree tier includes 10 scans/month on a verified domain. No credit card required.\u003c/p\u003e\n \u003ca href=\"https://app.pentestas.com/\" style=\"display: inline-block; background: #6366f1; color: white; padding: 14px 32px; border-radius: 8px; font-weight: 600; text-decoration: none; font-size: 15px;\"\u003eStart scanning\u003c/a\u003e\n \u003c/div\u003e\n\n\u003cdiv data-seo-pass=\"2026-05-12\" style=\"margin-top: 40px;\"\u003e\n\u003ch2 style=\"color: #1e293b; font-size: 22px; margin-top: 40px;\"\u003eWhere Pentestas applies this in the engagement\u003c/h2\u003e\n\u003cp style=\"margin: 0 0 16px 0;\"\u003eThe pattern above is part of the day-to-day machinery of Pentestas's pentesting-as-a-service workflow. As an AI penetration testing system, the platform feeds every detected primitive through verification, chain orchestration, and evidence-graph weighting before the result lands in the report — the same flow whether the engagement is a quick B2B SaaS pentest before a Series A diligence call, a quarterly compliance run, or a continuous monitoring subscription. Our penetration testing with Claude path powers the analyst-grade narrative; penetration testing with DeepSeek powers the broad-spectrum coverage. Customers pick the routing per scan or per environment.\u003c/p\u003e\n\u003cp style=\"margin: 0 0 16px 0;\"\u003eTeams looking at penetration testing with AI typically come to Pentestas after a manual engagement caught five issues and they want continuous coverage for the next four hundred regressions; the platform exists for exactly that gap.\u003c/p\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\n\u003cdiv style=\"background: #f8fafc; border: 1px solid #e2e8f0; border-radius: 12px; padding: 24px 28px; margin: 40px 0 0;\"\u003e\u003cdiv style=\"font-family: ui-monospace, SFMono-Regular, Menlo, monospace; font-size: 11px; letter-spacing: 0.15em; text-transform: uppercase; color: #6366f1; margin: 0 0 14px 0; font-weight: 700;\"\u003eRelated reading\u003c/div\u003e\u003cul style=\"margin: 0 0 18px 0; padding-left: 20px; list-style: disc; color: #1e293b;\"\u003e\u003cli style=\"margin: 0 0 8px 0;\"\u003e\u003ca href=\"/blog/sast-taint-source-aware\" style=\"color: #2563eb; text-decoration: none;\"\u003eSource-Aware SAST: Reading the Code So the Scanner Knows Where to Look\u003c/a\u003e\u003c/li\u003e\u003cli style=\"margin: 0 0 8px 0;\"\u003e\u003ca href=\"/blog/mass-assignment-api-pentest\" style=\"color: #2563eb; text-decoration: none;\"\u003eMass Assignment: The Vuln Class Most API Tests Miss — and How We Catch It\u003c/a\u003e\u003c/li\u003e\u003cli style=\"margin: 0 0 8px 0;\"\u003e\u003ca href=\"/blog/oast-canary-out-of-band-detection\" style=\"color: #2563eb; text-decoration: none;\"\u003eOAST Canaries: Catching Blind SSRF, Blind XXE, and Blind Command Injection\u003c/a\u003e\u003c/li\u003e\u003cli style=\"margin: 0 0 8px 0;\"\u003e\u003ca href=\"/blog/rule-spec-capability-matrix\" style=\"color: #2563eb; text-decoration: none;\"\u003eRuleSpec: How One Capability Matrix Drives 60+ Vuln Detectors\u003c/a\u003e\u003c/li\u003e\u003c/ul\u003e\u003cdiv style=\"border-top: 1px solid #e2e8f0; padding-top: 14px; font-size: 14px;\"\u003e\u003cspan style=\"color: #64748b;\"\u003eRun it on your stack: \u003c/span\u003e\u003ca href=\"/penetration-testing\" style=\"color: #2563eb; text-decoration: none; font-weight: 600;\"\u003ePenetration Testing →\u003c/a\u003e\u003c/div\u003e\u003c/div\u003e"])</script><script>self.__next_f.push([1,"19:[\"$\",\"$L22\",null,{\"post\":{\"slug\":\"clickjacking-modern-2026\",\"prefix\":\"blog\",\"title\":\"Clickjacking in 2026: Why Most Apps Still Have It and What to Set\",\"excerpt\":\"Despite advancements in security protocols, clickjacking remains a prevalent threat in 2026. Learn how modern applications still fall prey to this vulnerability and how Pentestas addresses it effectively.\",\"author\":\"Pentestas Team\",\"date\":\"2026-05-09\",\"category\":\"Engineering\",\"image\":\"/images/blog/content/clickjacking-modern-2026/hero.png\",\"readTime\":\"12 min read\",\"metaTitle\":\"Clickjacking in 2026: A Persistent Threat\",\"metaDescription\":\"Explore why clickjacking persists in 2026 and discover how Pentestas tackles this issue with advanced security measures and engineering insi — Pentestas PTaaS.\",\"imagePrompt\":\"A futuristic digital landscape showcasing interconnected web applications with layers of protection, including visual elements representing clickjacking vulnerabilities being shielded by advanced security protocols.\",\"content\":\"$23\"}}]\n1f:[[\"$\",\"meta\",\"0\",{\"charSet\":\"utf-8\"}],[\"$\",\"meta\",\"1\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}]]\n1c:null\n"])</script><script>self.__next_f.push([1,"21:[[\"$\",\"title\",\"0\",{\"children\":\"Clickjacking in 2026: A Persistent Threat | Pentestas\"}],[\"$\",\"meta\",\"1\",{\"name\":\"description\",\"content\":\"Explore why clickjacking persists in 2026 and discover how Pentestas tackles this issue with advanced security measures and engineering insights.\"}],[\"$\",\"meta\",\"2\",{\"name\":\"robots\",\"content\":\"index, follow, max-video-preview:-1, max-image-preview:large, max-snippet:-1\"}],[\"$\",\"link\",\"3\",{\"rel\":\"canonical\",\"href\":\"https://pentestas.com/blog/clickjacking-modern-2026\"}],[\"$\",\"meta\",\"4\",{\"property\":\"og:title\",\"content\":\"Clickjacking in 2026: A Persistent Threat\"}],[\"$\",\"meta\",\"5\",{\"property\":\"og:description\",\"content\":\"Explore why clickjacking persists in 2026 and discover how Pentestas tackles this issue with advanced security measures and engineering insights.\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:url\",\"content\":\"https://pentestas.com/blog/clickjacking-modern-2026\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:site_name\",\"content\":\"Pentestas\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:image\",\"content\":\"https://pentestas.com/images/blog/content/clickjacking-modern-2026/hero.png\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:type\",\"content\":\"article\"}],[\"$\",\"meta\",\"10\",{\"property\":\"article:published_time\",\"content\":\"2026-05-09\"}],[\"$\",\"meta\",\"11\",{\"property\":\"article:modified_time\",\"content\":\"2026-05-09\"}],[\"$\",\"meta\",\"12\",{\"property\":\"article:author\",\"content\":\"https://pentestas.com/about\"}],[\"$\",\"meta\",\"13\",{\"property\":\"article:section\",\"content\":\"Engineering\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"Clickjacking in 2026: A Persistent Threat\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"Explore why clickjacking persists in 2026 and discover how Pentestas tackles this issue with advanced security measures and engineering insights.\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image\",\"content\":\"https://pentestas.com/images/blog/content/clickjacking-modern-2026/hero.png\"}],[\"$\",\"link\",\"18\",{\"rel\":\"icon\",\"href\":\"/favicon.svg?v=4\",\"type\":\"image/svg+xml\"}],[\"$\",\"link\",\"19\",{\"rel\":\"icon\",\"href\":\"/favicon.ico?v=4\",\"type\":\"image/x-icon\"}],[\"$\",\"link\",\"20\",{\"rel\":\"icon\",\"href\":\"/favicon-32.png?v=4\",\"type\":\"image/png\",\"sizes\":\"32x32\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon-192.png?v=4\",\"type\":\"image/png\",\"sizes\":\"192x192\"}],[\"$\",\"link\",\"22\",{\"rel\":\"apple-touch-icon\",\"href\":\"/apple-touch-icon.png?v=4\",\"sizes\":\"180x180\",\"type\":\"image/png\"}],[\"$\",\"$L24\",\"23\",{}]]\n"])</script></body></html>