From b6db7a33d8fd4f769e00cf181a8bef4dba1a3174 Mon Sep 17 00:00:00 2001
From: Thomas Waldmann <tw@waldmann-edv.de>
Date: Thu, 28 Aug 2014 13:18:08 +0200
Subject: [PATCH] use django's clickjacking protection middleware

---
 docs/security.rst         | 6 ++++++
 nsupdate/settings/base.py | 5 +++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/docs/security.rst b/docs/security.rst
index 8a44b83..1c48345 100644
--- a/docs/security.rst
+++ b/docs/security.rst
@@ -119,6 +119,12 @@ CSRF protection
 We use Django's CSRF protection middleware.
 
 
+Clickjacking protection
+=======================
+
+We use Django's clickjacking protection middleware.
+
+
 XSS protection
 ==============
 
diff --git a/nsupdate/settings/base.py b/nsupdate/settings/base.py
index c608014..4bf4fd1 100644
--- a/nsupdate/settings/base.py
+++ b/nsupdate/settings/base.py
@@ -117,8 +117,7 @@ MIDDLEWARE_CLASSES = (
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'social.apps.django_app.middleware.SocialAuthExceptionMiddleware',
-    # Uncomment the next line for simple clickjacking protection:
-    # 'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
 )
 
 TEMPLATE_CONTEXT_PROCESSORS = DEFAULT_SETTINGS.TEMPLATE_CONTEXT_PROCESSORS + (
@@ -232,6 +231,8 @@ ACCOUNT_ACTIVATION_DAYS = 7
 
 LOGIN_REDIRECT_URL = '/overview/'
 
+X_FRAME_OPTIONS = 'DENY'  # for clickjacking middleware
+
 CSRF_FAILURE_VIEW = 'nsupdate.main.views.csrf_failure_view'
 
 # Settings for CSRF cookie.