Sunday, May 13, 2018

Abdelkader did penetration tests on a Lino site and reported that it is not protected against clickjacking. Indeed, Lino doesn’t provide this as a default. But Django provides a simple solution (at least for modern browsers): Clickjacking Protection

So in order to to protect a Lino application against clickjacking, you add one line to your settings.py:

class Site(Site):
    ...

SITE = Site(globals())

MIDDLEWARE_CLASSES += (
    'django.middleware.clickjacking.XFrameOptionsMiddleware',)

See also Security of Lino applications.