Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.A vulnerability known as clickjacking allows a malicious user to target authenticated users of a site to trick them into taking actions they do not intend by placing the target site into an iframe.
Prior to Drupal 7.50, Drupal core does not have any protection against clickjacking attacks.
In Drupal 7.50 and higher, Drupal core protects against cross-domain clickjacking by default, by preventing the site from being embedded in an iframe on another domain. This behavior can be overridden if necessary, to either remove or expand the protection.
Drupal sites may need to be placed into iframes under certain circumstances, so the previous behavior of Drupal core (which did not enforce a particular stance on this issue) is not considered a vulnerability.
Additional solutions
If you care about clickjacking on your site the Security Kit module provides several forms of protection against several different kinds of attacks.
As always is the case, site builders are encouraged to evaluate contributed modules prior to deploying them to confirm they are helpful without introducing other security issues.
