Clickjacking protection not activated

Your website is vulnerable to clickjack attack because the MIDDLEWARE setting is missing django.middleware.clickjacking.XFrameOptionsMiddleware - so users can be tricked into interacting with your website without realising.

If unprotected, an invisible iframe pointing at your site can be placed on top of a innocent looking button on the malicious web page - so when the user clicks the innocent button they'are actually interacting with a button on your web page.

You may find iframes useful though, so, so Django allows setting the policy to SAMEORIGIN via X_FRAME_OPTIONS = 'SAMEORIGIN'

If our GitHub code review bot spots this issue in your pull request it gives this advice:

django-doctorbotsuggested changes just now
settings.py
1
+
MIDDLEWARE = [
2
+
    'django.middleware.common.CommonMiddleware',
3
+
    'django.contrib.sessions.middleware.SessionMiddleware',
4
+
    ...
Suggested changes
+
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
Expand 2 lines ...
Commit suggestion

Your website is vulnerable to clickjack attack because the MIDDLEWARE setting is missing django.middleware.clickjacking.XFrameOptionsMiddleware - so users can be tricked into interacting with your website without realising.

Read more
5
+
]
Update settings.py
We're your Django code review copilot. Get code improvements right in your pull request with our GitHub code review bot.

Configuring this check

Code Review Doctor will run this check by default. No configuration is needed but the check can be turned on/off using check code missing-xframe-middleware in your pyproject.toml file.

Read more about configuring Code Review Doctor.