Clickjacking
Clickjacking is a means of misleading a user to click on a hidden link or button in the browser when they were intending to click on something else.
This is typically implemented using an invisible IFRAME that contains the target website over a dummy web page (shown here) that the user is likely to click on:
Since the action button in the invisible frame would be aligned exactly above the button in the dummy page, the user's click will perform an action on the target website instead.
How Django helps
Django protects your site from clickjacking using middleware that can be fine-tuned using several decorators. By default, this django.middleware.clickjacking.XFrameOptionsMiddleware middleware will be included in your MIDDLEWARE_CLASSES within your settings file. It works by setting the X-Frame-Options header to SAMEORIGIN for every outgoing HttpResponse.
Most modern browsers recognize the header, which means that this page should not be inside a frame in other domains. The protection...
