# Missing Clickjacking Protection

- ID: python-clickjacking
- Severity: MEDIUM
- CWE: CWE-clickjacking (CWE-)
- Languages: Python
- Frameworks: django, flask, fastapi

## Description

Detects missing clickjacking protection headers (X-Frame-Options or CSP
frame-ancestors). Without these headers, attackers can embed your site in
iframes to perform clickjacking attacks, tricking users into clicking
malicious elements.

## Detection Message

Application lacks X-Frame-Options or CSP frame-ancestors header

## Remediation

Add X-Frame-Options or CSP frame-ancestors header to prevent clickjacking.

```python
@app.after_request
def set_frame_options(response):
    response.headers['X-Frame-Options'] = 'DENY'
    return response
```

## Documentation

[object Object]

## Related Rules

- **Docker Build Optimization and Best Practices** [LOW]: 
- **Docker Compose Obsolete Version Field** [LOW]: 
- **Docker File Operations Best Practices** [LOW]: 
- **Invalid Port Number in EXPOSE** [ERROR]: 
- **Multiple ENTRYPOINT Instructions** [MEDIUM]: