The application can be embedded in an iframe on a malicious site, allowing attackers to trick users into clicking hidden elements and performing unintended actions.
An attacker could trick users into changing account settings, making purchases, transferring funds, or enabling features without their knowledge by overlaying invisible frames.
Implement X-Frame-Options header set to DENY or SAMEORIGIN. Use Content-Security-Policy frame-ancestors directive. Add frame-busting JavaScript as a defense-in-depth measure.