2
0

clickjacking.txt 4.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122
  1. ========================
  2. Clickjacking Protection
  3. ========================
  4. .. module:: django.middleware.clickjacking
  5. :synopsis: Protects against Clickjacking
  6. The clickjacking middleware and decorators provide easy-to-use protection
  7. against `clickjacking`_. This type of attack occurs when a malicious site
  8. tricks a user into clicking on a concealed element of another site which they
  9. have loaded in a hidden frame or iframe.
  10. .. _clickjacking: https://en.wikipedia.org/wiki/Clickjacking
  11. An example of clickjacking
  12. ==========================
  13. Suppose an online store has a page where a logged in user can click "Buy Now" to
  14. purchase an item. A user has chosen to stay logged into the store all the time
  15. for convenience. An attacker site might create an "I Like Ponies" button on one
  16. of their own pages, and load the store's page in a transparent iframe such that
  17. the "Buy Now" button is invisibly overlaid on the "I Like Ponies" button. If the
  18. user visits the attacker's site, clicking "I Like Ponies" will cause an
  19. inadvertent click on the "Buy Now" button and an unknowing purchase of the item.
  20. .. _clickjacking-prevention:
  21. Preventing clickjacking
  22. =======================
  23. Modern browsers honor the `X-Frame-Options`_ HTTP header that indicates whether
  24. or not a resource is allowed to load within a frame or iframe. If the response
  25. contains the header with a value of ``SAMEORIGIN`` then the browser will only
  26. load the resource in a frame if the request originated from the same site. If
  27. the header is set to ``DENY`` then the browser will block the resource from
  28. loading in a frame no matter which site made the request.
  29. .. _X-Frame-Options: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
  30. Django provides a few ways to include this header in responses from your site:
  31. #. A middleware that sets the header in all responses.
  32. #. A set of view decorators that can be used to override the middleware or to
  33. only set the header for certain views.
  34. The ``X-Frame-Options`` HTTP header will only be set by the middleware or view
  35. decorators if it is not already present in the response.
  36. How to use it
  37. =============
  38. Setting ``X-Frame-Options`` for all responses
  39. ---------------------------------------------
  40. To set the same ``X-Frame-Options`` value for all responses in your site, put
  41. ``'django.middleware.clickjacking.XFrameOptionsMiddleware'`` to
  42. :setting:`MIDDLEWARE`::
  43. MIDDLEWARE = [
  44. ...,
  45. "django.middleware.clickjacking.XFrameOptionsMiddleware",
  46. ...,
  47. ]
  48. This middleware is enabled in the settings file generated by
  49. :djadmin:`startproject`.
  50. By default, the middleware will set the ``X-Frame-Options`` header to
  51. ``DENY`` for every outgoing ``HttpResponse``. If you want any other value for
  52. this header instead, set the :setting:`X_FRAME_OPTIONS` setting::
  53. X_FRAME_OPTIONS = "SAMEORIGIN"
  54. When using the middleware there may be some views where you do **not** want the
  55. ``X-Frame-Options`` header set. For those cases, you can use a view decorator
  56. that tells the middleware not to set the header::
  57. from django.http import HttpResponse
  58. from django.views.decorators.clickjacking import xframe_options_exempt
  59. @xframe_options_exempt
  60. def ok_to_load_in_a_frame(request):
  61. return HttpResponse("This page is safe to load in a frame on any site.")
  62. .. note::
  63. If you want to submit a form or access a session cookie within a frame or
  64. iframe, you may need to modify the :setting:`CSRF_COOKIE_SAMESITE` or
  65. :setting:`SESSION_COOKIE_SAMESITE` settings.
  66. Setting ``X-Frame-Options`` per view
  67. ------------------------------------
  68. To set the ``X-Frame-Options`` header on a per view basis, Django provides these
  69. decorators::
  70. from django.http import HttpResponse
  71. from django.views.decorators.clickjacking import xframe_options_deny
  72. from django.views.decorators.clickjacking import xframe_options_sameorigin
  73. @xframe_options_deny
  74. def view_one(request):
  75. return HttpResponse("I won't display in any frame!")
  76. @xframe_options_sameorigin
  77. def view_two(request):
  78. return HttpResponse("Display in a frame if it's from the same origin as me.")
  79. Note that you can use the decorators in conjunction with the middleware. Use of
  80. a decorator overrides the middleware.
  81. Limitations
  82. ===========
  83. The ``X-Frame-Options`` header will only protect against clickjacking in
  84. `modern browsers`_.
  85. .. _modern browsers: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#browser_compatibility