Loading…
Loading…
Paste any URL you're authorized to test. Scorifya fetches the response and shows your X-Frame-Options and CSP frame-ancestors coverage alongside the rest of your security headers.
Free tool
Clickjacking is when an attacker loads your page inside an invisible iframe on their own site and tricks a logged-in visitor into clicking something they cannot see, like a confirm or delete button. The defense is simple: tell browsers your pages may not be framed by other origins, using the X-Frame-Options header or, better, the frame-ancestors directive in a Content-Security-Policy. A checker tells you whether that protection is actually in place.
Paste any URL you're allowed to test. Scorifya fetches the response and reports your X-Frame-Options header and CSP frame-ancestors directive, present or absent, so you can tell whether your pages can be embedded by other sites. Framing protection sits inside the broader 0 to 100 hardening score.
This page is written for people searching for clickjacking checker—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A: no framing protection
TLS and most headers are fine, but neither X-Frame-Options nor a CSP frame-ancestors directive is sent, so the pages can be framed by any site.
X-Frame-Options not set
Without anti-framing, your pages can be loaded in attacker-controlled iframes. Add X-Frame-Options: DENY (or SAMEORIGIN if you embed your own pages).
No frame-ancestors in CSP
The modern equivalent is a frame-ancestors directive in your Content-Security-Policy. Setting both is fine and covers older and newer browsers.
Example B: framing locked down
X-Frame-Options is set and the CSP includes frame-ancestors, so the pages cannot be embedded by other origins. The remaining points are elsewhere in the header set.
Framing protection in place
Both X-Frame-Options and frame-ancestors deny outside framing. Keep them in sync if you ever need to allow a specific partner to embed a page.
Set X-Frame-Options to DENY or SAMEORIGIN
X-Frame-Options: DENY stops any site from framing your pages. Use SAMEORIGIN if you embed your own pages in iframes. Set it once at your web server, reverse proxy, or framework so every response carries it.
Add frame-ancestors to your CSP
frame-ancestors 'none' in a Content-Security-Policy is the modern, more flexible way to control framing, and it covers cases X-Frame-Options cannot express. Setting both is the safe default for broad browser support.
Allow specific partners deliberately
If a partner genuinely needs to embed one of your pages, allow only their origin in frame-ancestors rather than removing the protection entirely. Keep that exception scoped to the specific pages that need it.
Protect state-changing pages first
Clickjacking matters most on pages where a single click does something: account settings, confirmations, payments. Make sure framing protection covers those routes, not just the homepage.
Re-scan after every header change
Headers update on the very next response after a deploy. Re-scan immediately to confirm the framing protection is present where you expect it.
For weights and penalties behind each category, see How Scorifya works.
Background explainers for what this tool checks.
Clickjacking is an attack where your page is loaded inside a transparent or disguised iframe on a site the attacker controls. A visitor thinks they are interacting with the attacker's page, but their clicks land on your page underneath, potentially confirming an action while they are logged in. The fix is to stop other sites from framing your pages.
frame-ancestors in a Content-Security-Policy is the modern, more capable control, and it is what newer browsers prefer. X-Frame-Options is the older header and is still widely respected. The safe approach is to set both: X-Frame-Options for broad compatibility and frame-ancestors for the cases X-Frame-Options cannot express.
Use DENY if your pages never need to be framed, even by yourself. Use SAMEORIGIN if you embed your own pages in iframes on your own site. Avoid the deprecated ALLOW-FROM value; if you need to allow a specific partner, express that with frame-ancestors in your CSP instead.
Yes. Checking your framing protection (and running the full Scorifya scan) is free for any URL you're authorized to test. Pro adds higher rate limits, scheduled re-scans, watch lists with alerts, and exports.
No. Scorifya only fetches public, unauthenticated URLs. Framing protection can differ on authenticated routes, so test those during your own staging passes.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.