Funktionierender Prototyp des Serious Games zur Vermittlung von Wissen zu Software-Engineering-Arbeitsmodellen.

clickjacking.py 1.7KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748
  1. """
  2. Clickjacking Protection Middleware.
  3. This module provides a middleware that implements protection against a
  4. malicious site loading resources from your site in a hidden frame.
  5. """
  6. from django.conf import settings
  7. from django.utils.deprecation import MiddlewareMixin
  8. class XFrameOptionsMiddleware(MiddlewareMixin):
  9. """
  10. Set the X-Frame-Options HTTP header in HTTP responses.
  11. Do not set the header if it's already set or if the response contains
  12. a xframe_options_exempt value set to True.
  13. By default, set the X-Frame-Options header to 'DENY', meaning the response
  14. cannot be displayed in a frame, regardless of the site attempting to do so.
  15. To enable the response to be loaded on a frame within the same site, set
  16. X_FRAME_OPTIONS in your project's Django settings to 'SAMEORIGIN'.
  17. """
  18. def process_response(self, request, response):
  19. # Don't set it if it's already in the response
  20. if response.get("X-Frame-Options") is not None:
  21. return response
  22. # Don't set it if they used @xframe_options_exempt
  23. if getattr(response, "xframe_options_exempt", False):
  24. return response
  25. response.headers["X-Frame-Options"] = self.get_xframe_options_value(
  26. request,
  27. response,
  28. )
  29. return response
  30. def get_xframe_options_value(self, request, response):
  31. """
  32. Get the value to set for the X_FRAME_OPTIONS header. Use the value from
  33. the X_FRAME_OPTIONS setting, or 'DENY' if not set.
  34. This method can be overridden if needed, allowing it to vary based on
  35. the request or response.
  36. """
  37. return getattr(settings, "X_FRAME_OPTIONS", "DENY").upper()