Clickjacking middleware missing from MIDDLEWARE
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 8 points from that category, once per scan, no matter how many places it turns up.
What it detects
A MIDDLEWARE list is defined with no django.middleware.clickjacking.XFrameOptionsMiddleware entry, so Django never sends the X-Frame-Options header it ships by default, leaving pages embeddable in a hostile iframe.
Why it matters
With no XFrameOptionsMiddleware in MIDDLEWARE, Django never sends the X-Frame-Options header it ships by default. Without it, a hostile site can embed your pages in an invisible or disguised iframe and trick users into clicking things they cannot see, the classic clickjacking attack, which is especially dangerous on any page with a state-changing button (delete, transfer, approve).
How to fix it
Add 'django.middleware.clickjacking.XFrameOptionsMiddleware' back into MIDDLEWARE. The default X_FRAME_OPTIONS value of 'DENY' is right for most sites; only override it to 'SAMEORIGIN' if you genuinely need to frame your own pages from your own domain, and use @xframe_options_exempt only on the specific view that must be embeddable elsewhere.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo