Clickjacking is prevented with the "X-Frame-Options: deny" header which can be set within a 4D Web Process using the following code:

$deny:="X-Frame-Options: deny" WEB SET HTTP HEADER($deny)

It may not be immediately apparent, but this can also be applied to the 404 page by rolling your own custom 404 page (which is extremely easy).

Take the following On Web Connection code for example

C_TEXT($1;$2;$3;$4;$5;$6) Case of    : ($1="/Home@")     // handle the /Home requests    //...    : ($1="/About@")     // handle the /About requests    //...    : ($1="/Products@")     // handle the /Products requests    //... End case

All we need to do to add a custom 404 page is add an Else statement like this:

C_TEXT($1;$2;$3;$4;$5;$6) Case of    : ($1="/Home@")     // handle the /Home requests    //...    : ($1="/About@")     // handle the /About requests    //...    : ($1="/Products@")     // handle the /Products requests    //... Else     // send a 404 for all other requests    $deny:="X-Frame-Options: deny"    WEB SET HTTP HEADER($deny)    WEB SEND TEXT("404") End case

Now any unknown url will hit this ELSE statement and send our custom 404 string that also includes the header to prevent clickjacking.