id	summary	reporter	owner	description	type	status	component	version	severity	resolution	keywords	cc	stage	has_patch	needs_docs	needs_tests	needs_better_patch	easy	ui_ux
36160	"Django serve view does not respect X_FRAME_OPTIONS = ""SAMEORIGIN"""	Mirat Can Bayrak		"In my Django project, I needed to display an uploaded file inside an <iframe>. However, I noticed that Django's built-in serve view does not respect the X_FRAME_OPTIONS = ""SAMEORIGIN"" setting, which prevents the file from being embedded in an iframe.

After investigating, I found that the serve view in Django does not modify the response headers related to X_FRAME_OPTIONS, meaning it defaults to Django's global security settings.

**Serve view:**

https://github.com/django/django/blob/c6ace896a2da73356f7c9a655bbe32a0e3ce0435/django/views/static.py#L28

**FileResponse implementation:**

https://github.com/django/django/blob/12b9ef38b3ff7f5b8b24a5f42e8923fdb6db44bb/django/http/response.py#L572

Since serve acts as a wrapper around FileResponse, I expected it to either respect X_FRAME_OPTIONS or provide a way to override it.
Would it be possible to modify the serve view to allow overriding X_FRAME_OPTIONS explicitly?

"	Uncategorized	closed	contrib.staticfiles	5.1	Normal	needsinfo	static, headers		Unreviewed	0	0	0	0	0	0