mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2025-11-07 07:15:35 +00:00
Code Issues 32 Releases Wiki Activity

Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.

Browse Source
This commit is contained in:
Claude Paroz
2019-09-07 09:52:10 +02:00
committed by Mariusz Felisiak
parent 5495ea3ae0
commit 05d0eca635
9 changed files with 32 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
docs/ref/checks.txt
View File

@@ -420,9 +420,8 @@ The following checks are run if you use the :option:`check --deploy` option:
* **security.W019**: You have
:class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
:setting:`MIDDLEWARE`, but :setting:`X_FRAME_OPTIONS` is not set to
``'DENY'``. The default is ``'SAMEORIGIN'``, but unless there is a good reason
for your site to serve other parts of itself in a frame, you should change
it to ``'DENY'``.
``'DENY'``. Unless there is a good reason for your site to serve other parts
of itself in a frame, you should change it to ``'DENY'``.
* **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
* **security.W021**: You have not set the
:setting:`SECURE_HSTS_PRELOAD` setting to ``True``. Without this, your site