Clickjacking Prevention in Python — ELI5

Imagine a prankster puts a clear glass panel in front of a vending machine. Behind the glass, they tape a sign that says “Free candy — push here!” You push the spot on the glass, but your finger actually presses a different button on the real vending machine behind it — maybe one that charges your account or changes your settings.

That’s clickjacking.

On the web, a bad website can load your bank’s page inside an invisible frame. They lay their own fake page on top. When you think you’re clicking “Play Video” on their site, you’re actually clicking “Transfer $500” on the invisible bank page underneath.

Your browser doesn’t know you’ve been tricked — to it, you genuinely clicked the bank’s button. Your cookies are active, you’re logged in, and the action goes through.

Python developers prevent this by telling browsers: “Don’t let other websites put my pages in a frame.” It’s like the vending machine company adding a rule: “Our machine cannot be placed behind glass panels.”

When a Python server sends a page, it can include a special header that says “this page refuses to be embedded inside another website.” Modern browsers respect this rule and will block the attempt entirely.

Django has this protection turned on by default. Other Python frameworks like Flask and FastAPI let developers add it with a couple of lines of code.

The one thing to remember: Clickjacking hides a real website behind a fake one to trick your clicks, and Python servers prevent it by telling browsers “don’t let anyone frame my pages.”