No clickjacking protection

Clickjacking is an attack where your legitimate page is secretly embedded inside another website so that visitors can be tricked into clicking buttons or forms without knowing. Protection headers that block this embedding are missing. An attacker can build a fake page that visually wraps your real login or payment form, tricking users into clicking through it. This can bypass two-factor authentication and lead to account takeover or fraudulent transactions. Add either the X-Frame-Options: DENY header or a CSP header containing frame-ancestors 'none'. Either one prevents your pages from being embedded in iframes on other sites. This is typically a one-line change in your web server or CDN configuration.

Why this matters

An attacker can build a fake page that visually wraps your real login or payment form, tricking users into clicking through it. This can bypass two-factor authentication and lead to account takeover or fraudulent transactions.

How to fix it

Add either the X-Frame-Options: DENY header or a CSP header containing frame-ancestors 'none'. Either one prevents your pages from being embedded in iframes on other sites. This is typically a one-line change in your web server or CDN configuration.