Clickjacking protection not activated
Your website is vulnerable to clickjack attack because the MIDDLEWARE setting is missing django.middleware.clickjacking.XFrameOptionsMiddleware - so users can be tricked into interacting with your website without realising.
If unprotected, an invisible iframe pointing at your site can be placed on top of a innocent looking button on the malicious web page - so when the user clicks the innocent button they'are actually interacting with a button on your web page.
You may find iframes useful though, so, so Django allows setting the policy to SAMEORIGIN via X_FRAME_OPTIONS = 'SAMEORIGIN'
If our GitHub code review bot spots this issue in your pull request it gives this advice:
django-doctorbot just now1 | + | MIDDLEWARE = [ | |
2 | + | 'django.middleware.common.CommonMiddleware', | |
3 | + | 'django.contrib.sessions.middleware.SessionMiddleware', | |
4 | + | ... |
Your website is vulnerable to clickjack attack because the MIDDLEWARE setting is missing django.middleware.clickjacking.XFrameOptionsMiddleware - so users can be tricked into interacting with your website without realising.
+ | 'django.middleware.clickjacking.XFrameOptionsMiddleware', | |||
Expand 2 lines ... |
5 | + | ] |
Update settings.pyInstantly check if you have this issue for free
Works with tools you use
- Detect typos
- Avoid mistakes
- Prevent bugs
- Improve tests
- Read more
- Review PRs
- One click fix
- Clear advice
- Delta aware
- Read more
- Review PRs
- Fix suggested
- Clear advice
- Delta aware
- Read more