title: Mitigate the Risk of Clickjacking with helmet.frameguard()
challengeType: 2
---
## Description
<sectionid='description'>
As a reminder, this project is being built upon the following starter project on <ahref='https://glitch.com/#!/import/github/freeCodeCamp/boilerplate-infosec/'>Glitch</a>, or cloned from <ahref='https://github.com/freeCodeCamp/boilerplate-infosec/'>GitHub</a>.
Your page could be put in a <code><frame></code> or <code><iframe></code> without your consent. This can result in clickjacking attacks, among other things. Clickjacking is a technique of tricking a user into interacting with a page different from what the user thinks it is. This can be obtained executing your page in a malicious context, by mean of iframing. In that context a hacker can put a hidden layer over your page. Hidden buttons can be used to run bad scripts. This middleware sets the X-Frame-Options header. It restricts who can put your site in a frame. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM.
We don’t need our app to be framed. You should use <code>helmet.frameguard()</code> passing with the configuration object <code>{action: 'deny'}</code>.