Liudas Jankauskas

Everyone says telemetry doesn t matter . Until it starts returning 500 Internal Server Error.

Clickjacking is one of those everything works security problems that teams ignore because nothing crashes, nothing burns, and monitoring stays green. And that s exactly why it survives.

Your API can be flawless, your backend locked down but if your UI can be framed, a user can be tricked into clicking real actions through someone else s page. Approvals, settings, payments, permissions. All valid. All invisible.

There s a special kind of security failure that doesn t come from complex exploits or zero-days. It comes from your API politely introducing itself to the entire internet: Hi, I m nginx 1.18.0.
This isn t advanced hacking. It s basic fingerprinting and it s how attackers decide whether you re worth attacking at all. Exposing server versions turns vulnerability scanning into shopping with a checklist: tech, version, CVE, automate. Teams forget this because it s boring, not because it s hard. No alerts. No crashes. Just a quiet little header waiting for the wrong person to notice. I added this check to Rentgen because people don t forget hard things they forget obvious ones. And those are the ones that usually bite first.

Read more: https://rentgen.io/api-stories/s...