123456789101112131415161718192021222324252627282930313233343536373839404142434445464748 |
- """
- Clickjacking Protection Middleware.
-
- This module provides a middleware that implements protection against a
- malicious site loading resources from your site in a hidden frame.
- """
-
- from django.conf import settings
- from django.utils.deprecation import MiddlewareMixin
-
-
- class XFrameOptionsMiddleware(MiddlewareMixin):
- """
- Set the X-Frame-Options HTTP header in HTTP responses.
-
- Do not set the header if it's already set or if the response contains
- a xframe_options_exempt value set to True.
-
- By default, set the X-Frame-Options header to 'DENY', meaning the response
- cannot be displayed in a frame, regardless of the site attempting to do so.
- To enable the response to be loaded on a frame within the same site, set
- X_FRAME_OPTIONS in your project's Django settings to 'SAMEORIGIN'.
- """
-
- def process_response(self, request, response):
-
- if response.get("X-Frame-Options") is not None:
- return response
-
-
- if getattr(response, "xframe_options_exempt", False):
- return response
-
- response.headers["X-Frame-Options"] = self.get_xframe_options_value(
- request,
- response,
- )
- return response
-
- def get_xframe_options_value(self, request, response):
- """
- Get the value to set for the X_FRAME_OPTIONS header. Use the value from
- the X_FRAME_OPTIONS setting, or 'DENY' if not set.
-
- This method can be overridden if needed, allowing it to vary based on
- the request or response.
- """
- return getattr(settings, "X_FRAME_OPTIONS", "DENY").upper()
|