Django'da Clickjack Tuzağının Engeli ve Kontrolu - XFrameOptionsMiddleware by hakancelik

coogger · @hakancelik · Feb 15 '19 (edited)

$0.03

Django'da Clickjack Tuzağının Engeli ve Kontrolu - XFrameOptionsMiddleware

<center>

<a href="https://www.coogger.com/@hakancelik/django-ile-clickjack-tuzagnn-engellenmesi-ve-kontol-edilmesi-iframe-embed">


  <img alt="None" src="https://cdn.steemitimages.com/DQmTxbMupXoHhMSTNk6ydzYgTEDCu83f5fGHVqNsgJxebDc">

</a>

<a href="https://www.coogger.com/@hakancelik/django-ile-clickjack-tuzagnn-engellenmesi-ve-kontol-edilmesi-iframe-embed">Read this content on coogger</a>

</center>

👍 hakancelik, murattatar, stmpay, bluesniper, steemexpress, ralph-rennoldson, kaz2305, ozkansen

properties (23)

`author`	hakancelik
`permlink`	django-ile-clickjack-tuzagnn-engellenmesi-ve-kontol-edilmesi-iframe-embed
`category`	coogger
`json_metadata`	"{"format": "markdown", "tags": ["coogger", "clickjack", "security", "django", "xframeoptionsmiddleware"], "app": "coogger/1.4.1", "ecosystem": {"version": "1.4.1", "body": "[TOC]\r\n\r\n------\r\n\r\nClickjack nedir ve nas\u0131l korunulur, \u00f6nlemleri nelerdir gibi daha fazla bilgiye ihtiya\u00e7 duyuyorsan\u0131z [clickjacking ad\u0131ndaki listeme g\u00f6z atabilirsiniz.](https://www.coogger.com/clickjacking/@hakancelik/)\r\n\r\n -------\r\n\r\nDjango k\u00fct\u00fcphanesinde bulunan clickjack middleware ( ara katman ) ve dekorat\u00f6rler clickjack'e kar\u015f\u0131 kullan\u0131m\u0131 kolay koruma sa\u011flar.\r\n\r\n<img src=\"https://cdn.steemitimages.com/DQmTxbMupXoHhMSTNk6ydzYgTEDCu83f5fGHVqNsgJxebDc\" general=\"w-100 br-2 center\">\r\n\r\nDjango uygulaman\u0131zda MIDDLEWARE listesine ellemediyseniz zaten uygulaman\u0131z \u015fuan bu a\u00e7\u0131\u011fa kar\u015f\u0131 koruma durumunda, bunu korumay\u0131 `django.middleware.clickjacking.XFrameOptionsMiddleware` Middlewar'i ile yap\u0131yor, e\u011fer bilmeyerek sildiyseniz hemen bunu kopyalayarak MIDDLEWARE b\u00f6l\u00fcm\u00fcne eklemelisiniz.\r\n\r\nVarsay\u0131lan olarak X-Frame-Options header'i middleware'de SAMEORIGIN olarak ayarlanm\u0131\u015f durumda olacakt\u0131r b\u00fct\u00fcn Http yan\u0131tlar\u0131nda (HttpResponse), fakat e\u011fer isterseniz bunu de\u011fi\u015ftirebilirsiniz.\r\n\r\n/settings.py\r\n`X_FRAME_OPTIONS = 'DENY'` Yazarak gelen b\u00fct\u00fcn istekleri reddedebilirsiniz.\r\n\r\nDaha da iyisi siz sadece baz\u0131 durumlarda b\u00fct\u00fcn isteklere izin versin istiyorsan\u0131z yapman\u0131z gereken, /views.py dosyan\u0131zda bulunan izin vermek istedi\u011finiz view fonksiyon veya s\u0131n\u0131f\u0131n\u0131zda djangonun bu i\u015flem i\u00e7in kullan\u0131lan dekorat\u00f6r\u00fc kullanmal\u0131s\u0131n\u0131z.\r\n\r\n### Fonksiyonel View'de Clickjacking Korumas\u0131na M\u00fcdahale Etmek.\r\n\u00c7ok kolay /views.py dosyam\u0131za `from django.views.decorators.clickjacking import xframe_options_exempt` xframe_options_exempt adl\u0131 dekorat\u00f6r\u00fc dahil ediyoruz ve izin verdi\u011fimiz fonksiyonda kullan\u0131yoruz a\u015fa\u011f\u0131da bir \u00f6rnek bulunmaktad\u0131r.\r\n\r\n\r\n```python\r\nfrom django.http import HttpResponse\r\nfrom django.views.decorators.clickjacking import xframe_options_exempt\r\n\r\n@xframe_options_exempt\r\ndef ok_to_load_in_a_frame(request):\r\n return HttpResponse(\"Bu sayfa herhangi bir sitede bir \u00e7er\u00e7eveye y\u00fcklemek i\u00e7in g\u00fcvenlidir.\")\r\n```\r\n\r\nDi\u011fer se\u00e7enekleri de g\u00f6relim,\r\n\r\n```python\r\nfrom django.views.decorators.clickjacking import xframe_options_deny, xframe_options_sameorigin, xframe_options_exempt\r\n# @xframe_options_deny operat\u00f6r\u00fc reddeder\r\n# @xframe_options_sameorigin operat\u00f6r\u00fc ayn\u0131 k\u00f6kene sahip sitelere izin verir.\r\n# @xframe_options_exempt hepsine izin verir\r\n```\r\n\r\n### S\u0131n\u0131fsal ( class based ) View'de Clickjacking Korumas\u0131na M\u00fcdahale Etmek.\r\n\r\nBurada yukar\u0131dake ek olarak X-Frame-Options i\u00e7in yap\u0131lm\u0131\u015f dekoret\u00f6rleri kullanabilmek i\u00e7in `method_decorator` ad\u0131nda bir dekorat\u00f6r\u00fc projemize dahil etmemiz gerekiyor `from django.utils.decorators import method_decorator`.\r\n bu dekorat\u00f6r\u00fcn amac\u0131 b\u00fct\u00fcn dekorat\u00f6rleri class based ( s\u0131n\u0131fsal ) view ile kodlad\u0131\u011f\u0131m\u0131zda da kullanabilelim.\r\n\r\n```python\r\n# django class based\r\nfrom django.views.generic.base import TemplateView\r\n# clickjacking \r\nfrom django.views.decorators.clickjacking import xframe_options_deny, xframe_options_sameorigin, xframe_options_exempt\r\n# decorators \r\nfrom django.utils.decorators import method_decorator\r\n\r\n@method_decorator(xframe_options_exempt, name='dispatch') # dekorat\u00f6r\u00fcn ilk parametresine kullanmak istedi\u011fim X-Frame-Options dekorat\u00f6r\u00fcn\u00fc verdim ve ikinci parametre olarak bir isim verdim, i\u015fte bu kadar geri kalan kodlar zaten class based view konusuna giriyor.\r\nclass Embed(TemplateView):\r\n template_name = \"index.html\"\r\n def get_context_data(self, kwargs):\r\n context = super(Embed, self).get_context_data(kwargs)\r\n context [\"note\"] = \"Bu sayfa herhangi bir sitede bir \u00e7er\u00e7eveye y\u00fcklemek i\u00e7in g\u00fcvenlidir.\"\r\n return context \r\n```\r\n\r\nDekorat\u00f6r\u00fc /views.py'in url adresini art\u0131k di\u011fer siteler kullanabilir ve kendi sitelerine g\u00f6mebilirler, ben bu izni sadece i\u00e7erik detay sayfas\u0131 i\u00e7in yapt\u0131m, bunu \u00f6rnekleyelim\r\n\r\nA\u015fa\u011f\u0131daki kodu bir siteye yazd\u0131\u011f\u0131mda youtube video g\u00f6mmede oldu\u011fu gibi src k\u0131sm\u0131nda yazan adresi yani i\u00e7eri\u011fi g\u00f6mm\u00fc\u015f olaca\u011f\u0131m.\r\n\r\n```html\r\n<iframe scrolling=\"yes\" frameborder=\"0\" height=\"300px\" width=\"100%\" src=\"https://www.coogger.com/embed/@hakancelik/clickjack-tuzagsaldrs-nedir/\"></iframe>\r\n```\r\n\r\nSonu\u00e7 ;\r\n\r\n<iframe scrolling=\"yes\" frameborder=\"0\" height=\"300px\" width=\"100%\" src=\"https://www.coogger.com/embed/@hakancelik/clickjack-tuzagsaldrs-nedir/\"></iframe>\r\n\r\n#### Yararlan\u0131lan Kaynaklar\r\n\r\n- [Clickjacking - docs.djangoproject.com](https://docs.djangoproject.com/en/2.1/ref/clickjacking/)\r\n- [Class based Clickjacking - coogger \| github](https://github.com/coogger/coogger/blob/7b0b6ee13f417a16bb196366287135bb9ab1cf1e/coogger/cooggerapp/views/detail.py)"}}"
`created`	2018-12-26 13:00:36
`last_update`	2019-02-15 21:20:03
`depth`	0
`children`	0
`last_payout`	2019-01-02 13:00:36
`cashout_time`	1969-12-31 23:59:59
`total_payout_value`	0.027 HBD
`curator_payout_value`	0.001 HBD
`pending_payout_value`	0.000 HBD
`promoted`	0.000 HBD
`body_length`	407
`author_reputation`	15,102,487,166,852
`root_title`	"Django'da Clickjack Tuzağının Engeli ve Kontrolu - XFrameOptionsMiddleware"
`beneficiaries`	`[]`
`max_accepted_payout`	1,000,000.000 HBD
`percent_hbd`	10,000
`post_id`	77,405,475
`net_rshares`	64,357,623,152
`author_curate_reward`	""

vote details (8)

voter	rshares	pct
ralph-rennoldson	670,508,588	0.98%
kaz2305	375,323,639	100%
murattatar	5,851,457,648	20%
hakancelik	46,220,209,173	100%
steemexpress	822,233,440	1.56%
stmpay	5,352,559,183	1.61%
bluesniper	5,065,331,481	0.32%
ozkansen	0	100%