clickjacking attacks:
clickjacking attack, also known as clickjacking attack, the page will be a malicious code hidden beneath seemingly innocuous content (such as buttons), and means to entice users to click.
clickjacking attack scenarios:
User into a web page, which contains a button (see photo), but the buttons above to load a transparent iframe tag, the iframe tag to load another page, and he will be a button on the page and this page in button (see photo) coincide, so the addition of a button on the page you are actually iframe load point by the click of a button (when viewing photos), for example, I now have a user account csdn, and now wants to focus on the user clicks . Then we can prepare the following page:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Clickjacking</title>
<style>
iframe {
width: 100%;
height: 100%;
display: block;
position: absolute; /*指定iframe和button为绝对定位*/
z-index: 20; /*指定在垂直方向上的高低*/
opacity: 0.01;
/*指定透明度*/
<!--注意,iframe的透明度不能设置为0,如果设置为0的话,就不能接受任何的点击事件了-->
}
button {
position: absolute;
left: 40px;
top: 65px;
z-index: 10;
}
</style>
</head>
<body>
<h2>哇塞,这张照片里怎么会有我!快来看看有没有你吧!</h2>
<button>查看照片</button>
<iframe src="https://blog.csdn.net/zjy123078_zjy/" frameborder="0"></iframe>
</body>
</html>clickjacking defense: we can set our website does not allow iframe is loaded into other pages in this situation can be avoided, and we can set this by setting the X-Frame-Options header in the response, X-Frame- Options can set the following three values:
(1) DEBY: Do not allow any web page using an iframe to load my page.
(2) SAMEORIGIN: only allowed in the same domain name (that is, your own website) under use iframe to load the page.
(3) ALLOWED-FROM origin: allow me to load any pages this page via iframe.
In Django, middleware django.middleware.clickjacking.XFrameOptionsMiddleware can help us to plug this loophole, this middleware to set up a X-Frame-Option is DENY, that is, do not allow any web page using an iframe to load the page, so other pages can be avoided by people with ulterior motives to the iframe is loaded.
We can look at the page source code, as follows:
class XFrameOptionsMiddleware(MiddlewareMixin):
"""
Set the X-Frame-Options HTTP header in HTTP responses.
Do not set the header if it's already set or if the response contains
a xframe_options_exempt value set to True.
By default, set the X-Frame-Options header to 'SAMEORIGIN', meaning the
response can only be loaded on a frame within the same site. To prevent the
response from being loaded in a frame in any site, set X_FRAME_OPTIONS in
your project's Django settings to 'DENY'.
"""
def process_response(self, request, response):
# Don't set it if it's already in the response
if response.get('X-Frame-Options') is not None:
return response
# Don't set it if they used @xframe_options_exempt
if getattr(response, 'xframe_options_exempt', False):
return response
response['X-Frame-Options'] = self.get_xframe_options_value(request,
response)
return response
def get_xframe_options_value(self, request, response):
"""
Get the value to set for the X_FRAME_OPTIONS header. Use the value from
the X_FRAME_OPTIONS setting, or 'DENY' if not set.
This method can be overridden if needed, allowing it to vary based on
the request or response.
"""
return getattr(settings, 'X_FRAME_OPTIONS', 'DENY').upper()