Click hijack protection
Click hijack middleware and decorator provide a simple and easy to use, rightClick hijackProtection of. This attack occurs when a malicious site induces a user to click on the covered element of another site, which has been loaded into the hidden element
Example of click hijacking
Suppose an online store has a page, and the logged in user can click “buy now” to buy a product. For convenience, users can choose to keep the login status of the store all the time. An attacker’s site may create a “I like ponies” button on their own page and display it in a transparent way
iframeLoad the page of the store, hide the “buy now” button and overlay it on “I like ponies”. If the user visits the attacker’s site, clicking the “I like ponies” button will trigger an unconscious click on the “buy now” button and unknowingly buy goods.
Click the defense of hijacking
Modern browsers followX-Frame-OptionsProtocol header, which indicates whether a resource is allowed to be loaded into
iframeYes. If the response contains a value of
SAMEORIGINFor the protocol header, the browser will
frameOnly resources requested by the same source are loaded in. If the protocol header is set to
DENY, the browser will load
frameAll resources are masked, no matter which site the request comes from.
Django provides some simple methods to include this protocol header in your site’s response:
A simple middleware that sets protocol headers in all responses.
A series of view decorators can be used to cover the middleware or only set the protocol header of the specified view.
How to use
Set X-FRAME-OPTIONS for all responses
Set the same for all responses in your site
MIDDLEWARE_CLASSES = ( ... 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... )
This middleware can be opened in the setting file generated by startproject.
Typically, this middleware will be open to any
X-Frame-OptionsThe protocol header is
SAMEORIGIN。 If you want to use
DENYTo replace it, set
X_FRAME_OPTIONS = 'DENY'
When using this middleware, there may be some views that you don’t want to set up for it
X-Frame-OptionsProtocol header. In these cases, you can use a view decorator to tell the middleware not to set the protocol header:
from django.http import HttpResponse from django.views.decorators.clickjacking import xframe_options_exempt @xframe_options_exempt def ok_to_load_in_a_frame(request): return HttpResponse("This page is safe to load in a frame on any site.")
Set X-FRAME-OPTIONS for each view
Django provides the following decorators to set for each base view
from django.http import HttpResponse from django.views.decorators.clickjacking import xframe_options_deny from django.views.decorators.clickjacking import xframe_options_sameorigin @xframe_options_deny def view_one(request): return HttpResponse("I won't display in any frame!") @xframe_options_sameorigin def view_two(request): return HttpResponse("Display in a frame if it's from the same origin as me.")
Note that you can use decorators in the connection of middleware. Use the decorator to cover the middleware.
X-Frame-OptionsThe protocol header only protects click hijacking in modern browsers. Older browsers ignore this protocol header and need toOther click hijacking prevention skills。
Browser supporting X-FRAME-OPTIONS
Internet Explorer 8+
X-Frame-OptionsOf supportFull list。
In this paperCC BY-NC-SA 3.0Please keep the author’s signature and the source of the article.
Django document collaborative translation teamThere is a shortage of staff. Interested friends can join us. It is completely public welfare. Communication group: 467338606.