Send Content-Security-Policy header #203
Labels
security
Changes to improve or maintain the availability and resilience of the app
Projects
Milestone
The Content-Security-Policy (CSP) header (with the
frame-ancestors
directive) replaces the now deprecatedX-Frame-Options
header, to instruct the browser about appropriate actions to perform if a site is included inside an<iframe>
.See more at https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
We already have Django's built-in Clickjacking/
X-Frame-Options
features enabled. Since this app should never be run from an<iframe>
, let's create another Middleware that sets the CSP header like so:The text was updated successfully, but these errors were encountered: