mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-08-04 19:08:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.

Browse source
This commit is contained in:
Claude Paroz 2019-09-07 09:52:10 +02:00 committed by Mariusz Felisiak
parent 5495ea3ae0
commit 05d0eca635
9 changed files with 32 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

12
docs/ref/clickjacking.txt
View file

@ -67,10 +67,15 @@ This middleware is enabled in the settings file generated by
:djadmin:`startproject`.
By default, the middleware will set the ``X-Frame-Options`` header to
``SAMEORIGIN`` for every outgoing ``HttpResponse``. If you want ``DENY``
instead, set the :setting:`X_FRAME_OPTIONS` setting::
``DENY`` for every outgoing ``HttpResponse``. If you want any other value for
this header instead, set the :setting:`X_FRAME_OPTIONS` setting::
X_FRAME_OPTIONS = 'DENY'
X_FRAME_OPTIONS = 'SAMEORIGIN'
.. versionchanged:: 3.0
The default value of the :setting:`X_FRAME_OPTIONS` setting was changed
from ``SAMEORIGIN`` to ``DENY``.
When using the middleware there may be some views where you do **not** want the
``X-Frame-Options`` header set. For those cases, you can use a view decorator
@ -116,6 +121,7 @@ Browsers that support ``X-Frame-Options``
-----------------------------------------
* Internet Explorer 8+
* Edge
* Firefox 3.6.9+
* Opera 10.5+
* Safari 4+