Clickjacking protection not activated best practice

Django Doctor

Clickjacking protection not activated

Your website is vulnerable to clickjack attack because the MIDDLEWARE setting is missing django.middleware.clickjacking.XFrameOptionsMiddleware - so users can be tricked into interacting with your website without realising.

If unprotected, an invisible iframe pointing at your site can be placed on top of a innocent looking button on the malicious web page - so when the user clicks the innocent button they'are actually interacting with a button on your web page.

You may find iframes useful though, so, so Django allows setting the policy to SAMEORIGIN via X_FRAME_OPTIONS = 'SAMEORIGIN'

So in practice, do this


MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'django.middleware.common.CommonMiddleware',
    ...
]

Instead of this


MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.middleware.common.CommonMiddleware',
    ...
]

Are you affected? Check with

pip install django-doctor

Configuring this check

Django Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-xframe-middleware in your pyproject.toml file.

Read more about configuring Django Doctor.

Django Doctor

Clickjacking protection not activated

Configuring this check

Further reading