원클릭으로
sc-clickjacking
Clickjacking and UI redressing detection — missing frame protection headers and CSP frame-ancestors
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Clickjacking and UI redressing detection — missing frame protection headers and CSP frame-ancestors
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
Comprehensive AI-powered security scanning suite with 48 skills covering OWASP Top 10, 7 language-specific deep scanners (Go, TypeScript, Python, PHP, Rust, Java, C#), supply chain analysis, infrastructure-as-code scanning, and 3000+ checklist items. Use when you need to run a security audit, find vulnerabilities, scan a PR for security issues, or perform a penetration test on a codebase.
C#/.NET-specific security deep scan
Go-specific security deep scan
Java/Kotlin-specific security deep scan
PHP-specific security deep scan
Python-specific security deep scan
| name | sc-clickjacking |
| description | Clickjacking and UI redressing detection — missing frame protection headers and CSP frame-ancestors |
| license | MIT |
| metadata | {"author":"ersinkoc","category":"security","version":"1.0.0"} |
Detects clickjacking vulnerabilities where applications can be embedded in iframes on malicious sites, tricking users into clicking hidden elements. Checks for missing X-Frame-Options header, missing Content-Security-Policy frame-ancestors directive, and framebusting bypass vulnerabilities.
Called by sc-orchestrator during Phase 2 when web applications serving HTML are detected.
"X-Frame-Options", "frame-ancestors", "DENY", "SAMEORIGIN",
"helmet", "frameguard", "X_FRAME_OPTIONS",
"SECURE_BROWSER_XSS_FILTER", "clickjack"
X-Frame-Options header set? (DENY or SAMEORIGIN)Content-Security-Policy: frame-ancestors set?// VULNERABLE: No frame protection headers
app.get('/', (req, res) => {
res.send('<html>...'); // Can be iframed by any site
});
// SAFE: Using helmet
const helmet = require('helmet');
app.use(helmet.frameguard({ action: 'deny' }));
// Or CSP
app.use(helmet.contentSecurityPolicy({
directives: { frameAncestors: ["'self'"] }
}));
# Django settings.py
X_FRAME_OPTIONS = 'DENY' # SAFE
# If missing → VULNERABLE
// SAFE: Set header in middleware
func securityHeaders(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("Content-Security-Policy", "frame-ancestors 'none'")
next.ServeHTTP(w, r)
})
}
X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'none'.