Which of the following headers helps in preventing the Clickjacking attack?

Clickjacking is an attack where a malicious site tricks a user into clicking on something by overlaying a transparent iframe containing a legitimate site, exploiting the user’s clicks (e.g., clicking a button). The goal is to prevent a page from being embedded in a frame or iframe by unauthorized sites. Let’s evaluate the headers:

Option A ("Strict-Transport-Security"): HTTP Strict Transport Security (HSTS) enforces HTTPS connections by instructing browsers to only use secure connections, preventing man-in-the-middle attacks over HTTP. It does not address framing or clickjacking.

Option B ("Access-Control-Allow-Origin"): This CORS header specifies which origins can access resources, mitigating cross-origin resource sharing issues, but it does not prevent framing or clickjacking.

Option C ("X-Frame-Options"): Correct. The X-Frame-Options header controls whether a page can be embedded in an iframe. Values like DENY (block all framing) or SAMEORIGIN (allow only same-origin framing) prevent clickjacking by stopping malicious sites from embedding the page in a frame. This is a standard defense against clickjacking.

Option D ("X-Content-Type-Options"): This header prevents MIME-type sniffing by forcing browsers to respect the declared content type (e.g., nosniff), but it does not address framing or clickjacking.

The correct answer is C, aligning with the CAP syllabus under "Clickjacking Prevention" and"Security Headers."References: SecOps Group CAP Documents - "Clickjacking Defense," "Security Headers," and "OWASP Secure Headers Project" sections.