Add clickjacking protection (X-Frame-Options header)
|Reported by:||rniemeyer||Owned by:||rniemeyer|
|Has patch:||yes||Needs documentation:||yes|
|Needs tests:||no||Patch needs improvement:||no|
For security reasons, many sites implement some form of clickjacking protection. Now that most of the modern browsers (IE8+, Firefox 3.6.9+, Chrome 4.1+, Safari 4+, Opera 10.5+) support the X-Frame-Options header, it seems to make sense for Django to support it as well.
Included is a patch for a middleware (based off Paul Osman's work) that will set the X-Frame-Options header for all responses. By default, sets it to 'DENY', but allows for a settings.py value if 'SAMEORIGIN' is desired instead.
I stuck this in a new clickjacking middleware module, but it could obviously go somewhere else if that's not the best location.
While this is a rather trivial piece of code, it still feels like a worthwhile addition to Django for PR and "batteries included" reasons. If that's not generally agreed upon, I can open up a discussion on django dev. If this is deemed a good idea, then I can add docs to go along with the code/tests.
Change History (16)
comment:7 Changed 6 years ago by
|Summary:||Add middleware for setting X-Frame-Options HTTP header in responses → Add clickjacking protection (X-Frame-Options header)|