Clickjacking Attack Prevention

Brief:

Clickjacking is related to UI redressing. Hacker writes some malicious script related to UI part. It will create the hidden UI element which will do the malicious action.

e.g. If your system will have some button to save the data in you system code - so the hidden element of UI will call to other server to save data on his/her server - it will hack some useful data. Also, if there is a button like compose email and if someone has added a malicious script on that button a malicious script, will go to website like xyz.com, every time when user tries to compose, then it will redirect to other website. This will result into delivering the user's data into attackers hand leading to misuse of data.

Initially Google also used the code to deny the script like this, but in some cases when we want to open the popup which is from server then it is also getting denied.
So to avoid this, we use SAMEORIGIN keyword in HTML tag. It will allow only server side data to show.

How It Works: 

The meta tag can be added on every HTML page of our system Keyword 'deny' is used to avoid any overlay irrespective of the content

<meta http-equiv="X-Frame-Options" content="deny">

keyword 'SAMEORIGIN' is used to allow overlay or popup limited to our web application only.

<meta http-equiv="X-Frame-Options" content="SAMEORIGIN">

we have created a header file header.php for that. It will get called from every page or you can add it in .htaccess file: Header set X-Frame-Options SAMEORIGIN