Clickjacking

An attack that tricks users into clicking hidden elements by overlaying a transparent iframe over a legitimate page, causing unintended actions such as authorizing transactions or changing settings. Clickjacking is prevented by sending the X-Frame-Options response header with DENY or SAMEORIGIN, or by using the CSP frame-ancestors directive to restrict which origins may embed the page. Modern browsers enforce these headers before rendering any framed content.