#14261: Add middleware for setting X-Frame-Options HTTP header in responses ------------------------------------------+--------------------------------- Reporter: rniemeyer | Owner: rniemeyer Status: new | Milestone: Component: Uncategorized | Version: 1.2 Keywords: clickjacking x_frame_options | Stage: Unreviewed Has_patch: 1 | ------------------------------------------+--------------------------------- == Overview == For security reasons, many sites implement some form of [http://en.wikipedia.org/wiki/Clickjacking clickjacking] protection. Now that most of the modern browsers (IE8+, Firefox 3.6.9+, Chrome 4.1+, Safari 4+, Opera 10.5+) support the X-Frame-Options header, it seems to make sense for Django to support it as well.
== Details == Included is a patch for a middleware (based off [http://github.com/paulosman/django-xframeoptions Paul Osman's work]) that will set the X-Frame-Options header for all responses. By default, sets it to 'DENY', but allows for a settings.py value if 'SAMEORIGIN' is desired instead. I stuck this in a new clickjacking middleware module, but it could obviously go somewhere else if that's not the best location. == Why? == While this is a rather trivial piece of code, it still feels like a worthwhile addition to Django for PR and "batteries included" reasons. If that's not generally agreed upon, I can open up a discussion on django dev. If this is deemed a good idea, then I can add docs to go along with the code/tests. -- Ticket URL: <http://code.djangoproject.com/ticket/14261> Django <http://code.djangoproject.com/> The Web framework for perfectionists with deadlines. -- You received this message because you are subscribed to the Google Groups "Django updates" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/django-updates?hl=en.
