From 7354f3314000eaf12faf84b36f2c20c34e7518ca Mon Sep 17 00:00:00 2001
From: "york@stsci.edu" <york@stsci.edu>
Date: Mon, 25 Nov 2024 15:13:28 -0500
Subject: [PATCH] Trying a change to X-Frame-Options

---
 jwql/website/jwql_proj/settings.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/jwql/website/jwql_proj/settings.py b/jwql/website/jwql_proj/settings.py
index 6568eceeb..7c15779ed 100644
--- a/jwql/website/jwql_proj/settings.py
+++ b/jwql/website/jwql_proj/settings.py
@@ -40,6 +40,9 @@
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = get_config()['django_debug']
 
+# SECURITY WARNING: This turns the default X_FRAME_OPTIONS value/header from 'DENY' to
+# 'SAMEORIGIN', which might potentially allow clickjacking.
+X_FRAME_OPTIONS = 'SAMEORIGIN'
 
 ALLOWED_HOSTS = ['*']