Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.

docs/ref/checks.txt

@@ -420,9 +420,8 @@ The following checks are run if you use the :option:`check --deploy` option:
 * **security.W019**: You have
   :class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
   :setting:`MIDDLEWARE`, but :setting:`X_FRAME_OPTIONS` is not set to
-  ``'DENY'``. The default is ``'SAMEORIGIN'``, but unless there is a good reason
-  for your site to serve other parts of itself in a frame, you should change
-  it to ``'DENY'``.
+  ``'DENY'``. Unless there is a good reason for your site to serve other parts
+  of itself in a frame, you should change it to ``'DENY'``.
 * **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
 * **security.W021**: You have not set the
   :setting:`SECURE_HSTS_PRELOAD` setting to ``True``. Without this, your site

docs/ref/clickjacking.txt

@@ -67,10 +67,15 @@ This middleware is enabled in the settings file generated by
 :djadmin:`startproject`.
 
 By default, the middleware will set the ``X-Frame-Options`` header to
-``SAMEORIGIN`` for every outgoing ``HttpResponse``. If you want ``DENY``
-instead, set the :setting:`X_FRAME_OPTIONS` setting::
+``DENY`` for every outgoing ``HttpResponse``. If you want any other value for
+this header instead, set the :setting:`X_FRAME_OPTIONS` setting::
 
-    X_FRAME_OPTIONS = 'DENY'
+    X_FRAME_OPTIONS = 'SAMEORIGIN'
+
+.. versionchanged:: 3.0
+
+    The default value of the :setting:`X_FRAME_OPTIONS` setting was changed
+    from ``SAMEORIGIN`` to ``DENY``.
 
 When using the middleware there may be some views where you do **not** want the
 ``X-Frame-Options`` header set. For those cases, you can use a view decorator
@@ -116,6 +121,7 @@ Browsers that support ``X-Frame-Options``
 -----------------------------------------
 
 * Internet Explorer 8+
+* Edge
 * Firefox 3.6.9+
 * Opera 10.5+
 * Safari 4+

docs/ref/settings.txt

@@ -2795,12 +2795,15 @@ and :setting:`MONTH_DAY_FORMAT`.
 ``X_FRAME_OPTIONS``
 -------------------
 
-Default: ``'SAMEORIGIN'``
+Default: ``'DENY'``
 
 The default value for the X-Frame-Options header used by
 :class:`~django.middleware.clickjacking.XFrameOptionsMiddleware`. See the
 :doc:`clickjacking protection </ref/clickjacking/>` documentation.
 
+.. versionchanged:: 3.0
+
+    In older versions, the default value is ``SAMEORIGIN``.
 
 Auth
 ====

docs/releases/3.0.txt

@@ -535,6 +535,15 @@ upload handler is used.
 ``FILE_UPLOAD_PERMISSION`` now defaults to ``0o644`` to avoid this
 inconsistency.
 
+New default value for the ``X_FRAME_OPTIONS`` setting
+-----------------------------------------------------
+
+In older versions, the :setting:`X_FRAME_OPTIONS` setting defaults to
+``'SAMEORIGIN'``. To make Django projects more secure by default,
+:setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``. If your site uses frames
+of itself, you will need to explicitly set ``X_FRAME_ORIGINS = 'SAMEORIGIN'``
+for them to continue working.
+
 Miscellaneous
 -------------