First of all, what is Clickjacking?
Clickjacking, also known as a “UI redress attack”, is an attack that fools users into thinking they are clicking on one thing when clicking on another. Users think they are using a normal web page, but in fact, there is a hidden UI in control; in other words, the UI has been redressed.
When users click on something they believe is safe, the hidden UI works differently, potentially revealing sensitive information or allowing others to take control of their computer.
Why you should prevent it?
How to prevent it on Meteor
It’s pretty straightforward, and we have a package called browser-policy, which handles many security things. You can read more about it on the documentation page.
You can use many different configurations, but the default one is good enough to prevent attackers from framing your website.
Basically, you just need to install browser-policy-framing, which will prevent clickjacking attacks.
meteor add browser-policy-framing
This package will add HTTP headers X-Frame-Options to your Meteor app and will prevent those attacks. If you need to allow some domains to iframe your website, just use the configuration described in the documentation.
How to Prevent Clickjacking Attacks in Your Meteor App was originally published in Meteor Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.