New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

The SecOps Group CAP Exam - Topic 25 Question 99 Discussion

Actual exam question for The SecOps Group's CAP exam
Question #: 99
Topic #: 25
[All CAP Questions]

Which of the following directives in a Content-Security-Policy HTTP response header, can be used to prevent a Clickjacking attack?

Show Suggested Answer Hide Answer
Suggested Answer: C

Clickjacking is an attack where a malicious site overlays a transparent iframe containing a legitimate site, tricking users into interacting with it unintentionally (e.g., clicking a button). The Content-Security-Policy (CSP) HTTP response header is used to mitigate various client-side attacks, including clickjacking, through specific directives. The frame-ancestors directive is the correct choice for preventing clickjacking. This directive specifies which origins are allowed to embed the webpage in an iframe, <frame>, or <object>. For example, setting frame-ancestors 'self' restricts framing to the same origin, effectively blocking external sites from embedding the page. This is a standard defense mechanism recommended by OWASP and other security frameworks.

Option A ('script-src') controls the sources from which scripts can be loaded, addressing XSS (Cross-Site Scripting) vulnerabilities but not clickjacking. Option B ('object-src') restricts the sources of plugins or embedded objects (e.g., Flash), which is unrelated to iframe-based clickjacking. Option D ('base-uri') defines the base URL for relative URLs in the document, offering no protection against framing attacks. The use of CSP with the frame-ancestors directive is a critical topic in the CAP syllabus under 'Security Headers' and 'OWASP Top 10' (UI Redressing).


by Reiko at Aug 16, 2025, 12:06 PM

Limited Time Offer

25%

Off

Get Premium CAP Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Terrilyn
2 months ago
I thought base-uri was for something else, right?
upvoted 0 times
...
Gilbert
2 months ago
Definitely C, no doubt about it!
upvoted 0 times
...
Joesph
2 months ago
Wait, are we sure object-src doesn't help too?
upvoted 0 times
...
Bambi
2 months ago
C is the right one, frame-ancestors blocks it.
upvoted 0 times
...
Joesph
3 months ago
Totally agree, frame-ancestors is key for Clickjacking!
upvoted 0 times
...
Crista
3 months ago
I’m a bit confused; I thought script-src could also help with security, but now I’m leaning towards C as well.
upvoted 0 times
...
Loren
3 months ago
I feel like I’ve seen a question like this before, and frame-ancestors definitely stood out as the right choice for preventing Clickjacking.
upvoted 0 times
...
Susy
4 months ago
I'm not entirely sure, but I remember something about object-src being related to media types, not really for Clickjacking.
upvoted 0 times
...
Starr
4 months ago
I think the answer might be C, frame-ancestors, because it controls which sites can embed your content in frames.
upvoted 0 times
...
Gearldine
4 months ago
C, frame-ancestors, is the correct answer. This directive allows you to specify which domains are allowed to embed your page, which is the primary defense against Clickjacking attacks.
upvoted 0 times
...
Serina
4 months ago
I'm a bit confused on this one. I know the Content-Security-Policy header is important for security, but I'm not sure which specific directive is used to prevent Clickjacking. I'll have to review my notes on this topic before answering.
upvoted 0 times
...
Nenita
4 months ago
The frame-ancestors directive sounds like the right answer to me. It allows you to specify which domains are allowed to embed your page, which is the key to preventing Clickjacking attacks.
upvoted 0 times
...
Elmer
5 months ago
Hmm, I'm a bit unsure about this one. I know the Content-Security-Policy header is used to prevent various web security threats, but I can't quite remember which directive is specifically for Clickjacking. I'll have to think this through carefully.
upvoted 0 times
...
Teresita
5 months ago
I'm pretty sure the answer is C. The frame-ancestors directive is used to prevent Clickjacking attacks by restricting which domains can embed the current page.
upvoted 0 times
...
Ronny
5 months ago
Definitely C) frame-ancestors. I remember learning about that in my web security course.
upvoted 0 times
Fabiola
1 month ago
Definitely a must-know for web developers!
upvoted 0 times
...
Micaela
2 months ago
I learned that too! Super important for security.
upvoted 0 times
...
Leonor
2 months ago
I agree, C) frame-ancestors is the right choice!
upvoted 0 times
...
Edmond
3 months ago
Yes, it blocks the site from being framed.
upvoted 0 times
...
...
Kenda
6 months ago
I agree with Cordelia, frame-ancestors is used to prevent Clickjacking attacks.
upvoted 0 times
...
Lonna
6 months ago
I think the answer is C) frame-ancestors. That directive is specifically used to prevent Clickjacking attacks.
upvoted 0 times
Aleta
5 months ago
Actually, it's C) frame-ancestors, that's the one specifically designed for Clickjacking protection.
upvoted 0 times
...
Lelia
5 months ago
I think it's D) base-uri, that directive can also help prevent Clickjacking.
upvoted 0 times
...
Paola
5 months ago
I agree, C) frame-ancestors is the correct answer to prevent Clickjacking attacks.
upvoted 0 times
...
...
Cordelia
7 months ago
I think the directive that can prevent Clickjacking is C) frame-ancestors.
upvoted 0 times
...

Save Cancel