Skip to main content
Version: 0.2

Clickjacking protection

This document describes Marten's clickjacking protection mechanism as well as the various tools that you can use in order to configure and make use of it.


Clickjacking attacks involve a malicious website embedding another unprotected website in a frame. This can lead to users performing unintended actions on the targeted website.

The best way to mitigate this risk is to rely on the X-Frame-Options header: this header indicates whether or not the protected resource is allowed to be embedded into a frame, and if so under which conditions. The X-Frame-Options header can be set to DENY or SAMEORIGIN:

  • DENY means that the response cannot be displayed inside a frame at all
  • SAMEORIGINS means that the browser will allow the response to be displayed inside a frame if the site defining the frame is the same as the one serving the actual resource

Basic usage

Marten's clickjacking protection involves using a dedicated middleware: the X-Frame-Options middleware. This middleware is automatically added to the middleware setting when generating projects via the new management command.

The X-Frame-Options middleware simply sets the X-Frame-Options header in order to prevent the considered Marten website from being inserted into a frame. The value that is used for the X-Frame-Options header depends on the value of the x_frame_options setting (whose default value is DENY).

It should be noted that you can decide to disable or enable the use of the X-Frame-Options middleware on a per-handler basis. To do so, you can simply make use of the #exempt_from_x_frame_options class method, which takes a single boolean as arguments:

class ProtectedHandler < Marten::Handler
exempt_from_x_frame_options false

# [...]

class UnprotectedHandler < Marten::Handler
exempt_from_x_frame_options true

# [...]