Search This Blog

Thursday, February 25, 2016

Clickjacking prevention using X Frame Options and J2EE Filter

1. What is Clickjacking.
It is also known as User Interface redress attack, UI redress attack, UI redressing
It is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. It is a browser security issue that is a vulnerability across a variety of browsers and platforms
2. How to prevent Clickjacking using Filter in java
Below example shows how Clickjacking will happens and how we can prevent the same.

Here I have created a Simple LoginServlet , after successful login, page will be redirected to success page.
Everyone knows how to create servlet and deploy the same. But still I am writing here to understand who have no idea how to create.
Step 1: Start eclipse
Step2: create a Dynamic Web Project -> clickjacking_prevention
Step3: first we need to create a login.jsp page, under Webcontent of the project
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"

Login page

User Name
Step 4: Need to create a success page
<%@ page language="java" contentType="text/html; charset=ISO-8859-1"

Login Success

Login Successful
You can construct page as you like

Step 5: Now we need to create a LoginServlet
package com.siva;


import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

public class LoginServlet extends HttpServlet{

 private static final long serialVersionUID = 1L;

 public void doPost(HttpServletRequest request, HttpServletResponse response)
   throws ServletException, IOException {

  String username = request.getParameter("username");
  String password = request.getParameter("password");
  if("siva".equalsIgnoreCase(username)&& "raju".equalsIgnoreCase(password)){
   System.out.println("inside if condition");
Step 6: Now we need to do Configuration in web.xml for LoginServlet


Step 7: Once this configuration done, Now we can run the project using any of the servers like Apache tomcat or Jboss.
You can use the http://localhost:8080/clickjacking_prevention/

It will open page like above and you can enter username as siva and password as raju, then submit,
You can redirected to loginSuccess page

Create a html file and provide name as you like and paste the below code.

  click jaking

Once we run this html file we can see the same data which is showed in the loginSuccess page

Step 10 : Now we can see the difference between above two images. One is url page and one is iframe constructed page, both are same.
So hacker can use this , and patch in your actual site and steal the data.
Now How to prevent this.
We need to add this code in our filter or jsp page.
response.addHeader("X-FRAME-OPTIONS", “DENY” );
Here I have written Filter to overcome clickjacking
package com.siva;


import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;

public class ClickjackingPreventionFilter implements Filter 
  private String mode = "DENY";
// Add X-FRAME-OPTIONS response header to tell any other browsers who   not to display this //content in a frame.
     public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
         HttpServletResponse res = (HttpServletResponse)response;
         res.addHeader("X-FRAME-OPTIONS", mode );   
         chain.doFilter(request, response);
     public void destroy() {
     public void init(FilterConfig filterConfig) {
         String configMode = filterConfig.getInitParameter("mode");
         if ( configMode != null ) {
             mode = configMode;

Step 11: Once Filter has completed now we need to add same filter configuration in web.xml file


Once we have done configuration , you can run the same Iframe example again, you can see the below page without any content, it will show warning in IE and it will not show any details in other browser.

This is how we can prevent the clickjacking attacks.
Thank you for viewing the post.


  1. Hey it worked .. Thanks.. could you please let me know the better way to do that. I read some where that X-Frame-Option is deprecated. Is there any disadvantage of implementing using X-Frame-Option

  2. Your good knowledge and kindness in playing with all the pieces were
    very useful. I don’t know what I would have done if I had not
    encountered such a step like this.

    java training in chennai

    java Training in Bangalore

  3. why we can't use org.apache.catalina.filters.HttpHeaderSecurityFilter
    with web-app version="2.4"

  4. I have to voice my passion for your kindness giving support to those
    Thanks for one marvelous posting! I enjoyed reading it; you are a great
    author. And i suggest for Java Training in chennai Visit Here: Best Java Training Institute in Chennai

  5. Hope this blog helps me to enhance your knowledge. Thanks for posting!

    JAVA Training in Chennai

    JAVA Course

  6. Such a Nice article.
    Trexeego is a most affordable service provider company in India. This is make safe and enjoyable journey and reached comfortably to your final destination. Trexeego offers best outstation taxi in India. Without hesitation you can contact me.
    Address- shop no- 17 upper ground floor, A Square mall, opp- Pan Oasis, Sarfabad
    Sector- 73, Noida, Uttar Predesh
    Pin code- 201301
    Best Outstation Taxi in India

  7. TreasureBox is operated by a group of young, passionate, and ambitious people that are working diligently towards the same goal - make your every dollar count, as we believe you deserve something better.
    Check out the best
    outdoor furniture covers nz
    body pillow nz


  9. Effective blog with a lot of information. I just Shared you the link below for Courses .They really provide good level of training and Placement,I just Had Oracle Classes in this institute,Just Check This Link You can get it more information about the Oracle course.

    Java training in chennai | Java training in annanagar | Java training in omr | Java training in porur | Java training in tambaram | Java training in velachery

  10. Marketing and Communications are on great demand. If you want to get your dream job in this field, then come to Talentedge. It provides you with the best source to find marketing and communication courses. Visit here for details

  11. Marketing and Communications are on great demand. If you want to get your dream job in this field, then come to Talentedge. It provides you with the best source to find marketing and communication courses. Visit here for details

  12. Visit Bharat Go Digital Academy to learn the digital marketing skills in India.



Contact Form


Email *

Message *