<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Clickjacking Protection — Django 1.11.20 documentation</title>
<link rel="stylesheet" href="../_static/default.css" type="text/css" />
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
<script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
<script type="text/javascript" src="../_static/jquery.js"></script>
<script type="text/javascript" src="../_static/underscore.js"></script>
<script type="text/javascript" src="../_static/doctools.js"></script>
<script type="text/javascript" src="../_static/language_data.js"></script>
<link rel="index" title="Index" href="../genindex.html" />
<link rel="search" title="Search" href="../search.html" />
<link rel="next" title="contrib packages" href="contrib/index.html" />
<link rel="prev" title="Class-based generic views - flattened index" href="class-based-views/flattened-index.html" />
<script type="text/javascript" src="../templatebuiltins.js"></script>
<script type="text/javascript">
(function($) {
if (!django_template_builtins) {
// templatebuiltins.js missing, do nothing.
return;
}
$(document).ready(function() {
// Hyperlink Django template tags and filters
var base = "templates/builtins.html";
if (base == "#") {
// Special case for builtins.html itself
base = "";
}
// Tags are keywords, class '.k'
$("div.highlight\\-html\\+django span.k").each(function(i, elem) {
var tagname = $(elem).text();
if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
var fragment = tagname.replace(/_/, '-');
$(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
}
});
// Filters are functions, class '.nf'
$("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
var filtername = $(elem).text();
if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
var fragment = filtername.replace(/_/, '-');
$(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
}
});
});
})(jQuery);
</script>
</head><body>
<div class="document">
<div id="custom-doc" class="yui-t6">
<div id="hd">
<h1><a href="../index.html">Django 1.11.20 documentation</a></h1>
<div id="global-nav">
<a title="Home page" href="../index.html">Home</a> |
<a title="Table of contents" href="../contents.html">Table of contents</a> |
<a title="Global index" href="../genindex.html">Index</a> |
<a title="Module index" href="../py-modindex.html">Modules</a>
</div>
<div class="nav">
« <a href="class-based-views/flattened-index.html" title="Class-based generic views - flattened index">previous</a>
|
<a href="index.html" title="API Reference" accesskey="U">up</a>
|
<a href="contrib/index.html" title="<code class="docutils literal notranslate"><span class="pre">contrib</span></code> packages">next</a> »</div>
</div>
<div id="bd">
<div id="yui-main">
<div class="yui-b">
<div class="yui-g" id="ref-clickjacking">
<div class="section" id="s-module-django.middleware.clickjacking">
<span id="s-clickjacking-protection"></span><span id="module-django.middleware.clickjacking"></span><span id="clickjacking-protection"></span><h1>Clickjacking Protection<a class="headerlink" href="#module-django.middleware.clickjacking" title="Permalink to this headline">¶</a></h1>
<p>The clickjacking middleware and decorators provide easy-to-use protection
against <a class="reference external" href="https://en.wikipedia.org/wiki/Clickjacking">clickjacking</a>. This type of attack occurs when a malicious site
tricks a user into clicking on a concealed element of another site which they
have loaded in a hidden frame or iframe.</p>
<div class="section" id="s-an-example-of-clickjacking">
<span id="an-example-of-clickjacking"></span><h2>An example of clickjacking<a class="headerlink" href="#an-example-of-clickjacking" title="Permalink to this headline">¶</a></h2>
<p>Suppose an online store has a page where a logged in user can click “Buy Now” to
purchase an item. A user has chosen to stay logged into the store all the time
for convenience. An attacker site might create an “I Like Ponies” button on one
of their own pages, and load the store’s page in a transparent iframe such that
the “Buy Now” button is invisibly overlaid on the “I Like Ponies” button. If the
user visits the attacker’s site, clicking “I Like Ponies” will cause an
inadvertent click on the “Buy Now” button and an unknowing purchase of the item.</p>
</div>
<div class="section" id="s-preventing-clickjacking">
<span id="s-clickjacking-prevention"></span><span id="preventing-clickjacking"></span><span id="clickjacking-prevention"></span><h2>Preventing clickjacking<a class="headerlink" href="#preventing-clickjacking" title="Permalink to this headline">¶</a></h2>
<p>Modern browsers honor the <a class="reference external" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options">X-Frame-Options</a> HTTP header that indicates whether
or not a resource is allowed to load within a frame or iframe. If the response
contains the header with a value of <code class="docutils literal notranslate"><span class="pre">SAMEORIGIN</span></code> then the browser will only
load the resource in a frame if the request originated from the same site. If
the header is set to <code class="docutils literal notranslate"><span class="pre">DENY</span></code> then the browser will block the resource from
loading in a frame no matter which site made the request.</p>
<p>Django provides a few simple ways to include this header in responses from your
site:</p>
<ol class="arabic simple">
<li>A simple middleware that sets the header in all responses.</li>
<li>A set of view decorators that can be used to override the middleware or to
only set the header for certain views.</li>
</ol>
<p>The <code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code> HTTP header will only be set by the middleware or view
decorators if it is not already present in the response.</p>
</div>
<div class="section" id="s-how-to-use-it">
<span id="how-to-use-it"></span><h2>How to use it<a class="headerlink" href="#how-to-use-it" title="Permalink to this headline">¶</a></h2>
<div class="section" id="s-setting-x-frame-options-for-all-responses">
<span id="setting-x-frame-options-for-all-responses"></span><h3>Setting <code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code> for all responses<a class="headerlink" href="#setting-x-frame-options-for-all-responses" title="Permalink to this headline">¶</a></h3>
<p>To set the same <code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code> value for all responses in your site, put
<code class="docutils literal notranslate"><span class="pre">'django.middleware.clickjacking.XFrameOptionsMiddleware'</span></code> to
<a class="reference internal" href="settings.html#std:setting-MIDDLEWARE"><code class="xref std std-setting docutils literal notranslate"><span class="pre">MIDDLEWARE</span></code></a>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">MIDDLEWARE</span> <span class="o">=</span> <span class="p">[</span>
<span class="o">...</span>
<span class="s1">'django.middleware.clickjacking.XFrameOptionsMiddleware'</span><span class="p">,</span>
<span class="o">...</span>
<span class="p">]</span>
</pre></div>
</div>
<p>This middleware is enabled in the settings file generated by
<a class="reference internal" href="django-admin.html#django-admin-startproject"><code class="xref std std-djadmin docutils literal notranslate"><span class="pre">startproject</span></code></a>.</p>
<p>By default, the middleware will set the <code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code> header to
<code class="docutils literal notranslate"><span class="pre">SAMEORIGIN</span></code> for every outgoing <code class="docutils literal notranslate"><span class="pre">HttpResponse</span></code>. If you want <code class="docutils literal notranslate"><span class="pre">DENY</span></code>
instead, set the <a class="reference internal" href="settings.html#std:setting-X_FRAME_OPTIONS"><code class="xref std std-setting docutils literal notranslate"><span class="pre">X_FRAME_OPTIONS</span></code></a> setting:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">X_FRAME_OPTIONS</span> <span class="o">=</span> <span class="s1">'DENY'</span>
</pre></div>
</div>
<p>When using the middleware there may be some views where you do <strong>not</strong> want the
<code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code> header set. For those cases, you can use a view decorator
that tells the middleware not to set the header:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="kn">from</span> <span class="nn">django.http</span> <span class="k">import</span> <span class="n">HttpResponse</span>
<span class="kn">from</span> <span class="nn">django.views.decorators.clickjacking</span> <span class="k">import</span> <span class="n">xframe_options_exempt</span>
<span class="nd">@xframe_options_exempt</span>
<span class="k">def</span> <span class="nf">ok_to_load_in_a_frame</span><span class="p">(</span><span class="n">request</span><span class="p">):</span>
<span class="k">return</span> <span class="n">HttpResponse</span><span class="p">(</span><span class="s2">"This page is safe to load in a frame on any site."</span><span class="p">)</span>
</pre></div>
</div>
</div>
<div class="section" id="s-setting-x-frame-options-per-view">
<span id="setting-x-frame-options-per-view"></span><h3>Setting <code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code> per view<a class="headerlink" href="#setting-x-frame-options-per-view" title="Permalink to this headline">¶</a></h3>
<p>To set the <code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code> header on a per view basis, Django provides these
decorators:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="kn">from</span> <span class="nn">django.http</span> <span class="k">import</span> <span class="n">HttpResponse</span>
<span class="kn">from</span> <span class="nn">django.views.decorators.clickjacking</span> <span class="k">import</span> <span class="n">xframe_options_deny</span>
<span class="kn">from</span> <span class="nn">django.views.decorators.clickjacking</span> <span class="k">import</span> <span class="n">xframe_options_sameorigin</span>
<span class="nd">@xframe_options_deny</span>
<span class="k">def</span> <span class="nf">view_one</span><span class="p">(</span><span class="n">request</span><span class="p">):</span>
<span class="k">return</span> <span class="n">HttpResponse</span><span class="p">(</span><span class="s2">"I won't display in any frame!"</span><span class="p">)</span>
<span class="nd">@xframe_options_sameorigin</span>
<span class="k">def</span> <span class="nf">view_two</span><span class="p">(</span><span class="n">request</span><span class="p">):</span>
<span class="k">return</span> <span class="n">HttpResponse</span><span class="p">(</span><span class="s2">"Display in a frame if it's from the same origin as me."</span><span class="p">)</span>
</pre></div>
</div>
<p>Note that you can use the decorators in conjunction with the middleware. Use of
a decorator overrides the middleware.</p>
</div>
</div>
<div class="section" id="s-limitations">
<span id="limitations"></span><h2>Limitations<a class="headerlink" href="#limitations" title="Permalink to this headline">¶</a></h2>
<p>The <code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code> header will only protect against clickjacking in a
modern browser. Older browsers will quietly ignore the header and need <a class="reference external" href="https://en.wikipedia.org/wiki/Clickjacking#Prevention">other
clickjacking prevention techniques</a>.</p>
<div class="section" id="s-browsers-that-support-x-frame-options">
<span id="browsers-that-support-x-frame-options"></span><h3>Browsers that support <code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code><a class="headerlink" href="#browsers-that-support-x-frame-options" title="Permalink to this headline">¶</a></h3>
<ul class="simple">
<li>Internet Explorer 8+</li>
<li>Firefox 3.6.9+</li>
<li>Opera 10.5+</li>
<li>Safari 4+</li>
<li>Chrome 4.1+</li>
</ul>
</div>
<div class="section" id="s-see-also">
<span id="see-also"></span><h3>See also<a class="headerlink" href="#see-also" title="Permalink to this headline">¶</a></h3>
<p>A <a class="reference external" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Browser_compatibility">complete list</a> of browsers supporting <code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code>.</p>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="yui-b" id="sidebar">
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h3><a href="../contents.html">Table of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Clickjacking Protection</a><ul>
<li><a class="reference internal" href="#an-example-of-clickjacking">An example of clickjacking</a></li>
<li><a class="reference internal" href="#preventing-clickjacking">Preventing clickjacking</a></li>
<li><a class="reference internal" href="#how-to-use-it">How to use it</a><ul>
<li><a class="reference internal" href="#setting-x-frame-options-for-all-responses">Setting <code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code> for all responses</a></li>
<li><a class="reference internal" href="#setting-x-frame-options-per-view">Setting <code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code> per view</a></li>
</ul>
</li>
<li><a class="reference internal" href="#limitations">Limitations</a><ul>
<li><a class="reference internal" href="#browsers-that-support-x-frame-options">Browsers that support <code class="docutils literal notranslate"><span class="pre">X-Frame-Options</span></code></a></li>
<li><a class="reference internal" href="#see-also">See also</a></li>
</ul>
</li>
</ul>
</li>
</ul>
<h4>Previous topic</h4>
<p class="topless"><a href="class-based-views/flattened-index.html"
title="previous chapter">Class-based generic views - flattened index</a></p>
<h4>Next topic</h4>
<p class="topless"><a href="contrib/index.html"
title="next chapter"><code class="docutils literal notranslate"><span class="pre">contrib</span></code> packages</a></p>
<div role="note" aria-label="source link">
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="../_sources/ref/clickjacking.txt"
rel="nofollow">Show Source</a></li>
</ul>
</div>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="../search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<h3>Last update:</h3>
<p class="topless">Feb 11, 2019</p>
</div>
</div>
<div id="ft">
<div class="nav">
« <a href="class-based-views/flattened-index.html" title="Class-based generic views - flattened index">previous</a>
|
<a href="index.html" title="API Reference" accesskey="U">up</a>
|
<a href="contrib/index.html" title="<code class="docutils literal notranslate"><span class="pre">contrib</span></code> packages">next</a> »</div>
</div>
</div>
<div class="clearer"></div>
</div>
</body>
</html>
