Django 1.8 official document translation: 8-3 click hijacking protection


Click hijack protection

Click hijack middleware and decorator provide a simple and easy to use, rightClick hijackProtection of. This attack occurs when a malicious site induces a user to click on the covered element of another site, which has been loaded into the hidden elementframeoriframeYes.

Example of click hijacking

Suppose an online store has a page, and the logged in user can click “buy now” to buy a product. For convenience, users can choose to keep the login status of the store all the time. An attacker’s site may create a “I like ponies” button on their own page and display it in a transparent wayiframeLoad the page of the store, hide the “buy now” button and overlay it on “I like ponies”. If the user visits the attacker’s site, clicking the “I like ponies” button will trigger an unconscious click on the “buy now” button and unknowingly buy goods.

Click the defense of hijacking

Modern browsers followX-Frame-OptionsProtocol header, which indicates whether a resource is allowed to be loaded intoframeperhapsiframeYes. If the response contains a value ofSAMEORIGINFor the protocol header, the browser willframeOnly resources requested by the same source are loaded in. If the protocol header is set toDENY, the browser will loadframeAll resources are masked, no matter which site the request comes from.

Django provides some simple methods to include this protocol header in your site’s response:

  • A simple middleware that sets protocol headers in all responses.

  • A series of view decorators can be used to cover the middleware or only set the protocol header of the specified view.

How to use

Set X-FRAME-OPTIONS for all responses

Set the same for all responses in your siteX-Frame-OptionsValue, will'django.middleware.clickjacking.XFrameOptionsMiddleware'Set toMIDDLEWARE_CLASSES


This middleware can be opened in the setting file generated by startproject.

Typically, this middleware will be open to anyHttpResponseset upX-Frame-OptionsThe protocol header isSAMEORIGIN。 If you want to useDENYTo replace it, setX_FRAME_OPTIONS


When using this middleware, there may be some views that you don’t want to set up for itX-Frame-OptionsProtocol header. In these cases, you can use a view decorator to tell the middleware not to set the protocol header:

from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_exempt

def ok_to_load_in_a_frame(request):
    return HttpResponse("This page is safe to load in a frame on any site.")

Set X-FRAME-OPTIONS for each view

Django provides the following decorators to set for each base viewX-Frame-OptionsProtocol header.

from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_deny
from django.views.decorators.clickjacking import xframe_options_sameorigin

def view_one(request):
    return HttpResponse("I won't display in any frame!")

def view_two(request):
    return HttpResponse("Display in a frame if it's from the same origin as me.")

Note that you can use decorators in the connection of middleware. Use the decorator to cover the middleware.


X-Frame-OptionsThe protocol header only protects click hijacking in modern browsers. Older browsers ignore this protocol header and need toOther click hijacking prevention skills

Browser supporting X-FRAME-OPTIONS

  • Internet Explorer 8+

  • Firefox 3.6.9+

  • Opera 10.5+

  • Safari 4+

  • Chrome 4.1+

See also

Browser pairX-Frame-OptionsOf supportFull list

translator:Django document collaborative translation team, Original:Clickjacking protection

In this paperCC BY-NC-SA 3.0Please keep the author’s signature and the source of the article.

Django document collaborative translation teamThere is a shortage of staff. Interested friends can join us. It is completely public welfare. Communication group: 467338606.