django3 Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'deny'

created at 07-16-2021 views: 131


When using django3 for development, because the project front-end page uses the iframe frame, the browser error message is as follows:

Refused to display 'url' in a frame because it set 'X-Frame-Options' to 'deny'

According to the prompt information, it is found that X-Frame-Options=deny is caused.


What is X-Frame-Options

The X-Frame-Options HTTP response header is used to indicate to the browser whether a page can be displayed in <frame>, <iframe>, <embed> or <object>. Sites can avoid clickjacking attacks by ensuring that the site is not embedded in someone else’s site.


X-Frame-Options has three values:

  1. DENY: Indicates that the page is not allowed to be displayed in the frame, even if it is nested in a page with the same domain name
  2. SAMEORIGIN: Indicates that the page can be displayed in the frame of the page with the same domain name
  3. ALLOW-FROM uri: Indicates that the page can be displayed in the frame of the specified source

According to the above three value descriptions of X-Frame-Options, as long as the X-Frame-Options of django is modified to SAMEORIGIN, then pages with the same domain name can be displayed in a frame.


Clickjacking protection

Clickjacking middleware and decorators provide easy-to-use protection to prevent clickjacking. This type of attack occurs when a malicious site entices users to click on a hidden element of another site that they have loaded into a hidden frame or iframe.

Clickjacking example

Assume that the online store has a page on which the logged-in user can click "Buy Now" to purchase goods. For convenience, the user chooses to stay logged in at all times. The attacker’s site may create a "I like my little horse" button on one of its pages, and then load the store's page into a transparent iframe, so that the "Buy Now" button is covered in an invisible way on the "I like Pony" button. Pony" button. If a user visits the attacker’s website, clicking on "I like my little horse" will result in inadvertently clicking the "Buy Now" button and purchasing the item without knowing it.

Prevent clickjacking

Modern browsers use the X-Frame-Options HTTP header, which indicates whether to allow loading of resources in a frame or iframe. If the response contains a header with a header value, SAMEORIGIN then the browser will only load the resource into the frame when the request originates from the same site. If the header is set to DENY, no matter which site makes the request, the browser will prevent the resource from being loaded into the frame.

django settings

In django3.0 version, clickjacking protection is enabled by default. Django provides several ways to include this header in your website response:

  1. Middleware that sets headers in all responses.
  2. A set of view decorators that can be used to cover middleware or set headers only for certain views.

If the X-Frame-Options HTTP header has not yet appeared in the response, it is only set by the middleware or view decorator.

Django turns on clickjacking protection by default

Set X-Frame-Options to all responses

To set X-Frame-Options to the same value for all responses in your site, enter 'django.middleware.clickjacking.XFrameOptionsMiddleware' in MIDDLEWARE in


The middleware startproject is enabled in the generated settings file.

By default, the middleware will set the X-Frame-Options header DENY to HttpResponse for each outgoing.

To allow websites with the same domain name to use frme display, please set the following X_FRAME_OPTIONS:


Specify the view function without setting X-Frame-Options

from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_exempt

def ok_to_load_in_a_frame(request):
    return HttpResponse("This page is safe to load in a frame on any site.")

Specify the view function setting X-Frame-Options
Django provides the following decorators:

from django.views.decorators.clickjacking import xframe_options_deny
from django.views.decorators.clickjacking import xframe_options_sameorigin

def view_one(request):
    return HttpResponse("I won't display in any frame!")

def view_two(request):
    return HttpResponse("Display in a frame if it's from the same origin as me.")


If you want to submit a form or access the session cookie in a frame or iframe, you may need to modify the CSRF_COOKIE_SAMESITE or SESSION_COOKIE_SAMESITE settings.


created at:07-16-2021
edited at: 07-16-2021: