use django's clickjacking protection middleware

2014-08-28 13:18:08 +02:00 · 2014-08-28 13:18:08 +02:00 · b6db7a33d8
commit b6db7a33d8
parent dea3848b36
2 changed files with 9 additions and 2 deletions
--- a/docs/security.rst
+++ b/docs/security.rst
@ -119,6 +119,12 @@ CSRF protection
 We use Django's CSRF protection middleware.


+Clickjacking protection
+=======================
+
+We use Django's clickjacking protection middleware.
+
+
 XSS protection
 ==============

--- a/nsupdate/settings/base.py
+++ b/nsupdate/settings/base.py
@ -117,8 +117,7 @@ MIDDLEWARE_CLASSES = (
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'social.apps.django_app.middleware.SocialAuthExceptionMiddleware',
-    # Uncomment the next line for simple clickjacking protection:
-    # 'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
 )

 TEMPLATE_CONTEXT_PROCESSORS = DEFAULT_SETTINGS.TEMPLATE_CONTEXT_PROCESSORS + (
@ -232,6 +231,8 @@ ACCOUNT_ACTIVATION_DAYS = 7

 LOGIN_REDIRECT_URL = '/overview/'

+X_FRAME_OPTIONS = 'DENY'  # for clickjacking middleware
+
 CSRF_FAILURE_VIEW = 'nsupdate.main.views.csrf_failure_view'

 # Settings for CSRF cookie.