Rendition object (80)

Adjusting X_FRAME_OPTIONS in Django

When you deploy your Django application to production it is recommendable to adjust the settings.py with several security settings. One is the X_FRAME_OPTIONS setting, which protects your website against clickjacking.

As I deployed my Django webapp to production I put several security settings in to my settings.py. Among other things I wanted to protect my website against clickjacking. The clickjacking protection in Django is really easy to use.

First you have to enable the django.middleware.clickjacking.XFrameOptionsMiddleware in the MIDDLEWARE-section of your settings.py

MIDDLEWARE = [
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

To enable the clickjacking protection and deny every outgoing HttpResponse just add the following line in your settings.py

X_FRAME_OPTIONS = 'DENY'

Great, it worked as expected. Unfortunately I forgot that I use iframes within my application's backend to open my media list. All I saw now was a blank iframe.

Fortunately, it is possible to define individual rules for certain views. In my case, I only wanted the media list view frameable.

@login_required
@xframe_options_sameorigin
def media_list_select(request):
    ...
    ...
    return render(request, 'cms/media_list_select.html', {'media': media})

And Tada! The media list was rendered again in the iframe.