Last week, we posted a video on our sister channel. In that video, we talked about “Clickjacking”. For those uninformed: Clickjacking is a “hacking” technique where an attacker tries to load your website, or a part of your website, to trick visitors in doing something. Their eind goal, of course, is to use your website to steal information, credentials or more.
The most simple way to test if a site is vulnerable is by loading a website in an iFrame. Using that method, we demonstrated that both Joomla 3.x and WordPress are vulnerable to clickjacking out of the box.
After we published our video, George Wilson who’s a Joomla contributor, informed us that Joomla 4 ships with a plugin that should prevent these sort of attacsk from happening.
We immediately knew what to do: Make a follow-up video where we test the plugin and see if it protects Joomla 4 against clickjacking out of the box.
You can watch our video for the full demonstration, the results and our conclusions.
If video isn’t your medium, we can try and summarize what happens in the video. Spoilers below!
HTTP Headers Plugin
The plugin that was mentioned, is called the HTTP Headers plugin. The plugin does more than protect you against clickjacking. It offers you the option to set your own headers, which is the cure against clickjacking and other sorts of attacks. What’s relevant for most site builders, however, is that the HTTP Headers Plugin will protect your website against clickjacking out of the box.
Because of the plugin, our attempt to load the website in an iFrame fails. That means that our hypothetical attack on the website isn’t going to happen. The conclusion is simple: Joomla 4 offers protection against clickjacking out of the box. On top of that, it offers features that’ll help you keep your visitors safe – but those other options require some studying and knowledge of HTTP Headers that might not be everyone’s cup of tea.
Just FYI the HTTP Headers Plugin from Joomla 4 is based on this free 3.x Plugin:
https://github.com/zero-24/plg_system_httpheader/releases