Fix guide · low · missing_frame_protection

No X-Frame-Options or CSP frame-ancestors header

Why it matters

Click-jacking: an attacker overlays your page in a tiny invisible iframe and tricks users into clicking on it.

How to fix it

Add either:

X-Frame-Options: DENY

Or in CSP:

Content-Security-Policy: frame-ancestors 'none'

Use SAMEORIGIN / 'self' if you legitimately embed your own pages in your own pages.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.