Clickjacking is when an attacker uses a frame to display a site and applies one or more invisible layers over the site, tricking the user into thinking they are clicking on one thing when they are actually clicking on the something in the invisible layer. A defense against Clickjacking utilizes response headers from the server that tell the browser whether it is ok to frame the page. Because of compliance differences in browsers, two different headers must be used to indicate domains allowed to frame. These two headers (X-Frame-Options and Content-Security-Policy) are described below. ThingWorx utilizes both of these headers, enabling the administrator to configure to disallow all framing, only allow framing from its own origin, or allow framing from a specific domain.