Clickjacking overlays invisible UI elements over legitimate web content — tricking users into clicking hidden buttons that perform unintended actions.
Prevention: X-Frame-Options HTTP header (deny/sameorigin), Content-Security-Policy frame-ancestors directive. Forces browsers to refuse to render the page inside iframes.