When you deploy your Django application to production it is recommendable to adjust the settings.py with several security settings. One is the X_FRAME_OPTIONS setting, which protects your website against clickjacking.
As I deployed my Django webapp to production I put several security settings in to my settings.py. Among other things I wanted to protect my website against clickjacking. The clickjacking protection in Django is really easy to use.
First you have to enable the django.middleware.clickjacking.XFrameOptionsMiddleware in the MIDDLEWARE-section of your settings.py
MIDDLEWARE = [
'django.middleware.clickjacking.XFrameOptionsMiddleware',
]To enable the clickjacking protection and deny every outgoing HttpResponse just add the following line in your settings.py
X_FRAME_OPTIONS = 'DENY'Great, it worked as expected. Unfortunately I forgot that I use iframes within my application's backend to open my media list. All I saw now was a blank iframe.
Fortunately, it is possible to define individual rules for certain views. In my case, I only wanted the media list view frameable.
@login_required
@xframe_options_sameorigin
def media_list_select(request):
...
...
return render(request, 'cms/media_list_select.html', {'media': media})And Tada! The media list was rendered again in the iframe.
Cover image by Matan Segev | action-android-device-electronics-595804 | CC0 License