Add clickjacking protection (X-Frame-Options header)
|Reported by:||rniemeyer||Owned by:||rniemeyer|
|Has patch:||yes||Needs documentation:||yes|
|Needs tests:||no||Patch needs improvement:||no|
For security reasons, many sites implement some form of clickjacking protection. Now that most of the modern browsers (IE8+, Firefox 3.6.9+, Chrome 4.1+, Safari 4+, Opera 10.5+) support the X-Frame-Options header, it seems to make sense for Django to support it as well.
Included is a patch for a middleware (based off Paul Osman's work) that will set the X-Frame-Options header for all responses. By default, sets it to 'DENY', but allows for a settings.py value if 'SAMEORIGIN' is desired instead.
I stuck this in a new clickjacking middleware module, but it could obviously go somewhere else if that's not the best location.
While this is a rather trivial piece of code, it still feels like a worthwhile addition to Django for PR and "batteries included" reasons. If that's not generally agreed upon, I can open up a discussion on django dev. If this is deemed a good idea, then I can add docs to go along with the code/tests.
Change History (16)
comment:1 Changed 5 years ago by rniemeyer
- Needs documentation set
- Needs tests unset
- Patch needs improvement unset
- Status changed from new to assigned
comment:2 Changed 5 years ago by thejaswi_puthraya
- Component changed from Uncategorized to HTTP handling
comment:7 in reply to: ↑ 6 Changed 5 years ago by rniemeyer
- Summary changed from Add middleware for setting X-Frame-Options HTTP header in responses to Add clickjacking protection (X-Frame-Options header)
comment:10 Changed 5 years ago by lukeplant
- Resolution set to fixed
- Status changed from assigned to closed