Trying a change to X-Frame-Options

spacetelescope · Nov 25, 2024 · 7354f33 · 7354f33
1 parent f5256e3
commit 7354f33
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/jwql/website/jwql_proj/settings.py b/jwql/website/jwql_proj/settings.py
@@ -40,6 +40,9 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = get_config()['django_debug']
 
+# SECURITY WARNING: This turns the default X_FRAME_OPTIONS value/header from 'DENY' to
+# 'SAMEORIGIN', which might potentially allow clickjacking.
+X_FRAME_OPTIONS = 'SAMEORIGIN'
 
 ALLOWED_HOSTS = ['*']