Interactive Demo

What Happens Without X-Frame-Options

A missing X-Frame-Options header lets attackers embed your site in a hidden iframe and trick users into clicking buttons they can't see. Watch the attack, then stop it.

A legitimate banking app

MyBank has a real account with a balance and transaction history. Nothing looks wrong.

An attacker hides it in an iframe

A fake prize page embeds MyBank in a transparent iframe. The victim clicks a decoy button that triggers a real bank transfer.

One header blocks the frame

Enable X-Frame-Options and the browser refuses to load MyBank inside any iframe.

Start the Demo

1Trick/2Steal/3Protect

Below is MyBank, a fictional banking app. An attacker has created a prize page that secretly embeds MyBank in a transparent iframe.

https://win-free-prizes.comAttacker

FREE PRIZES!

Congratulations!

You've been selected to win a $1,000 gift card!

Claim Your Prize

No purchase necessary. Click to claim.

https://mybank.com/accountsVictim

MyBank

AccountsTransfersCards

user

Checking Account

$12,450.00

Date	Description	Amount
Mar 12	Payroll deposit	+$4,200.00
Mar 10	AWS invoice	-$189.00
Mar 8	Stripe payout	+$1,340.00
Mar 5	Office rent	-$2,100.00

Recipient account...

Transfer $500

What is clickjacking?

Clickjacking (also called “UI redressing”) is an attack where a malicious site embeds your application in a transparent <iframe>. The attacker positions a decoy button on top of a real, sensitive action in your app. When the victim clicks the decoy, the click passes through to the hidden iframe.

The setup below

An attacker has built a fake prize page. Behind the “Claim Your Prize” button is an invisible iframe of MyBank with the “Transfer $500” button aligned in the exact same position. Click the button below to see the attack.

Only available with ShipShield ($25)

Go Deeper With a Full Codebase Audit

The free scan checks what's visible from the outside. A full ShipShield audit connects to your GitHub repo and analyzes your actual source code, dependencies, infrastructure, and more, covering 5,000,000+ vulnerability signatures.

Exposed Secrets

API keys, credentials, and tokens buried in code and git history

Auth & Authorization

Missing auth checks, weak JWT config, privilege escalation paths

Injection Vulnerabilities

SQL injection, XSS, SSRF, and command injection in your source code

Dependency CVEs

Known vulnerabilities across npm, pip, cargo, and go packages

AI Business Logic Review

AI-powered analysis of input validation, race conditions, and logic flaws

Sensitive Data Flows

PII logging, unencrypted data transmission, and storage issues

Infrastructure Security

Rate limiting, request size limits, and file upload restrictions

Docker & Container Scanning

Container misconfigs, exposed ports, running as root, OS-level CVEs

License Compliance

GPL/AGPL copyleft detection across all your dependencies

SBOM Generation

SPDX-format Software Bill of Materials for compliance and audits

Supply Chain Security

Typosquatting detection and suspicious package analysis

Professional PDF Report

Detailed findings with severity ratings, code references, and AI-powered fix suggestions

Get a Full Codebase Audit for $25

Scans complete in 2-8 minutes · Automatic refund if scan fails