Will It Vibe logoWill It Vibe?
DJANGO-013Medium severity-8 points

Clickjacking middleware missing from MIDDLEWARE

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.

What it detects

A MIDDLEWARE list is defined with no django.middleware.clickjacking.XFrameOptionsMiddleware entry, so Django never sends the X-Frame-Options header it ships by default, leaving pages embeddable in a hostile iframe.

Why it matters

With no XFrameOptionsMiddleware in MIDDLEWARE, Django never sends the X-Frame-Options header it ships by default. Without it, a hostile site can embed your pages in an invisible or disguised iframe and trick users into clicking things they cannot see, the classic clickjacking attack, which is especially dangerous on any page with a state-changing button (delete, transfer, approve).

How to fix it

Add 'django.middleware.clickjacking.XFrameOptionsMiddleware' back into MIDDLEWARE. The default X_FRAME_OPTIONS value of 'DENY' is right for most sites; only override it to 'SAMEORIGIN' if you genuinely need to frame your own pages from your own domain, and use @xframe_options_exempt only on the specific view that must be embeddable elsewhere.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks