This document describes Marten's clickjacking protection mechanism as well as the various tools that you can use in order to configure and make use of it.
Clickjacking attacks involve a malicious website embedding another unprotected website in a frame. This can lead to users performing unintended actions on the targeted website.
The best way to mitigate this risk is to rely on the X-Frame-Options header: this header indicates whether or not the protected resource is allowed to be embedded into a frame, and if so under which conditions. The X-Frame-Options header can be set to
DENYmeans that the response cannot be displayed inside a frame at all
SAMEORIGINSmeans that the browser will allow the response to be displayed inside a frame if the site defining the frame is the same as the one serving the actual resource
Marten's clickjacking protection involves using a dedicated middleware: the X-Frame-Options middleware. This middleware is automatically added to the
middleware setting when generating projects via the
new management command.
The X-Frame-Options middleware simply sets the X-Frame-Options header in order to prevent the considered Marten website from being inserted into a frame. The value that is used for the X-Frame-Options header depends on the value of the
x_frame_options setting (whose default value is
It should be noted that you can decide to disable or enable the use of the X-Frame-Options middleware on a per-handler basis. To do so, you can simply make use of the
#exempt_from_x_frame_options class method, which takes a single boolean as arguments:
class ProtectedHandler < Marten::Handler
class UnprotectedHandler < Marten::Handler