My Project has ExtJs as Front end and Spring boot as backend. ExtJs will call spring boot which will respond with JSON. I wanted to prevent clickjacking attack in my project. I have a simple html script, which will just load the website in an iframe.If the website is loaded within iframe, then it means it is not secure.I have added the following flags X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'none'; in spring boot REST API response to prevent that.But even then, it is not preventing my application to be loaded in iframe. The code to check if clickjacking is possible is
<html>
<head>
<title>Clickjack test page</title>
</head>
<body>
<p>Website is vulnerable to clickjacking!</p>
<iframe src="http://localhost:8000" width="1000" height="1000"></iframe>
</body>
</html>`
Here, localhost:8000 refers to extjs URL.I researched and found out that client side validations to prevent clickjacking is not that effective. So is there any options to prevent clickjacking attack in my project
The issue was resolved by setting Header always append X-Frame-Options DENY
in apache server conf file