Information Security with HelmetJS - Mitigate the Risk of Clickjacking with helmet.frameguard()

As a reminder, this project is being built upon the following starter project on Glitch, or cloned from GitHub.

Your page could be put in a <frame> or <iframe> without your consent. This can result in clickjacking attacks, among other things. Clickjacking is a technique of tricking a user into interacting with a page different from what the user thinks it is. This can be obtained executing your page in a malicious context, by mean of iframing. In that context a hacker can put a hidden layer over your page. Hidden buttons can be used to run bad scripts. This middleware sets the X-Frame-Options header. It restricts who can put your site in a frame. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM.

We don’t need our app to be framed. You should use helmet.frameguard() passing with the configuration object {action: 'deny'}.

Get a hint