id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
14261	Add clickjacking protection (X-Frame-Options header)	rniemeyer	rniemeyer	"== Overview ==
For security reasons, many sites implement some form of [http://en.wikipedia.org/wiki/Clickjacking clickjacking] protection. Now that most of the modern browsers (IE8+, Firefox 3.6.9+, Chrome 4.1+, Safari 4+, Opera 10.5+) support the X-Frame-Options header, it seems to make sense for Django to support it as well.

== Details ==
Included is a patch for a middleware (based off [http://github.com/paulosman/django-xframeoptions Paul Osman's work]) that will set the X-Frame-Options header for all responses. By default, sets it to 'DENY', but allows for a settings.py value if 'SAMEORIGIN' is desired instead.

I stuck this in a new clickjacking middleware module, but it could obviously go somewhere else if that's not the best location.

== Why? ==
While this is a rather trivial piece of code, it still feels like a worthwhile addition to Django for PR and ""batteries included"" reasons. If that's not generally agreed upon, I can open up a discussion on django dev. If this is deemed a good idea, then I can add docs to go along with the code/tests.
"	New feature	closed	HTTP handling	1.2	Normal	fixed	clickjacking x_frame_options		Accepted	1	1	0	0	0	0