Paste a URL. We'll try to load it inside an invisible frame β exactly like an attacker would. If it shows up, you're vulnerable to clickjacking.
π 100% in your browser. Your URL is never sent to any server.
Try it: example.com (framable) github.com (protected) Β· π show me a live attack β
Loading your site into a frame on this page.
No magic, no account, no scan queue β just the truth your browser already knows.
This page drops your site into an <iframe> β the same move any malicious page can make.
If your site sends the right headers, the browser refuses to render it and the box stays empty.
Site visible = framable = vulnerable. Drag the opacity slider to see how an attacker hides it.
An attacker loads your real site in a transparent frame and floats a decoy on top. You think you're clicking "Claim prize" β but your click lands on your logged-in page underneath: a transfer button, a "delete account", an OAuth "Allow".
Framing can't read what you type into another origin β the same-origin policy blocks that. The risk is tricked clicks on pages you're already logged into.
"Bust out of the frame" scripts get neutered by the sandbox attribute. Response headers are the only reliable defense.
Telling browsers who's allowed to frame you takes two lines of config and breaks nothing for your own site.
Send these response headers on every page. SAMEORIGIN still lets you frame your own pages.
# Blocks all cross-origin framing (honored everywhere, even legacy browsers) X-Frame-Options: SAMEORIGIN β # The modern equivalent β only enforced when your CSP is NOT report-only Content-Security-Policy: frame-ancestors 'self' β
The open-source laravel-security package ships this as middleware β alongside CSP nonces, HSTS, SRI & Permissions-Policy. β github.com/lets-make-dev/laravel-security