Clickjacking, also known as a “UI redress attack”, is an attack that fools users into thinking they are clicking on one thing when clicking on another. Users think they are using a normal web page, but in fact, there is a hidden UI in control; in other words, the UI has been redressed.

When users click on something they believe is safe, the hidden UI works differently, potentially revealing sensitive information or allowing others to take control of their computer.

Thanks to HTML frames (iframes), the attack is possible, the ability to display web pages within other web pages through iframes. Suppose a web page allows itself to be displayed within an iframe. In that case, an attacker can cover the original web page with a hidden, transparent layer with its JavaScript and UI elements. So they can steal passwords, credit cards or any valuable information from your users.

It’s pretty straightforward, and we have a package called browser-policy, which handles many security things. You can read more about it on the documentation page.

You can use many different configurations, but the default one is good enough to prevent attackers from framing your website.

Basically, you just need to install browser-policy-framing, which will prevent clickjacking attacks.

meteor add browser-policy-framing

This package will add HTTP headers X-Frame-Options to your Meteor app and will prevent those attacks. If you need to allow some domains to iframe your website, just use the configuration described in the documentation.

Reference: https://docs.meteor.com/packages/browser-policy.html

How to Prevent Clickjacking Attacks in Your Meteor App was originally published in Meteor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.