-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add X-Frame-Options Middleware class. #1766
Conversation
Set default header to 'SAMEORIGIN'
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me! What do you think @ukanga
onadata/settings/common.py
Outdated
) | ||
|
||
X_FRAME_OPTIONS = 'SAMEORIGIN' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that we should make the default "DENY" as recommended in Django 3.0 - see https://docs.djangoproject.com/en/3.0/ref/clickjacking/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair point
Tested this and it checks out. /accounts/login doesn't load on the iframe |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm!
Set the x-frame-options header. Guide from django's documentation here
Fixes #1767