Fixed #30426 -- Changed X_FRAME_OPTIONS setting default to DENY.

django/conf/global_settings.py

@@ -415,7 +415,7 @@ DEFAULT_TABLESPACE = ''
 DEFAULT_INDEX_TABLESPACE = ''
 
 # Default X-Frame-Options header value
-X_FRAME_OPTIONS = 'SAMEORIGIN'
+X_FRAME_OPTIONS = 'DENY'
 
 USE_X_FORWARDED_HOST = False
 USE_X_FORWARDED_PORT = False

django/core/checks/security/base.py

@@ -80,9 +80,8 @@ W019 = Warning(
     "You have "
     "'django.middleware.clickjacking.XFrameOptionsMiddleware' in your "
     "MIDDLEWARE, but X_FRAME_OPTIONS is not set to 'DENY'. "
-    "The default is 'SAMEORIGIN', but unless there is a good reason for "
-    "your site to serve other parts of itself in a frame, you should "
-    "change it to 'DENY'.",
+    "Unless there is a good reason for your site to serve other parts of "
+    "itself in a frame, you should change it to 'DENY'.",
     id='security.W019',
 )
 

django/middleware/clickjacking.py

@@ -37,9 +37,9 @@ class XFrameOptionsMiddleware(MiddlewareMixin):
     def get_xframe_options_value(self, request, response):
         """
         Get the value to set for the X_FRAME_OPTIONS header. Use the value from
-        the X_FRAME_OPTIONS setting, or 'SAMEORIGIN' if not set.
+        the X_FRAME_OPTIONS setting, or 'DENY' if not set.
 
         This method can be overridden if needed, allowing it to vary based on
         the request or response.
         """
-        return getattr(settings, 'X_FRAME_OPTIONS', 'SAMEORIGIN').upper()
+        return getattr(settings, 'X_FRAME_OPTIONS', 'DENY').upper()

docs/ref/checks.txt

@@ -420,9 +420,8 @@ The following checks are run if you use the :option:`check --deploy` option:
 * **security.W019**: You have
   :class:`django.middleware.clickjacking.XFrameOptionsMiddleware` in your
   :setting:`MIDDLEWARE`, but :setting:`X_FRAME_OPTIONS` is not set to
-  ``'DENY'``. The default is ``'SAMEORIGIN'``, but unless there is a good reason
-  for your site to serve other parts of itself in a frame, you should change
-  it to ``'DENY'``.
+  ``'DENY'``. Unless there is a good reason for your site to serve other parts
+  of itself in a frame, you should change it to ``'DENY'``.
 * **security.W020**: :setting:`ALLOWED_HOSTS` must not be empty in deployment.
 * **security.W021**: You have not set the
   :setting:`SECURE_HSTS_PRELOAD` setting to ``True``. Without this, your site

docs/ref/clickjacking.txt

@@ -67,10 +67,15 @@ This middleware is enabled in the settings file generated by
 :djadmin:`startproject`.
 
 By default, the middleware will set the ``X-Frame-Options`` header to
-``SAMEORIGIN`` for every outgoing ``HttpResponse``. If you want ``DENY``
-instead, set the :setting:`X_FRAME_OPTIONS` setting::
+``DENY`` for every outgoing ``HttpResponse``. If you want any other value for
+this header instead, set the :setting:`X_FRAME_OPTIONS` setting::
 
-    X_FRAME_OPTIONS = 'DENY'
+    X_FRAME_OPTIONS = 'SAMEORIGIN'
+
+.. versionchanged:: 3.0
+
+    The default value of the :setting:`X_FRAME_OPTIONS` setting was changed
+    from ``SAMEORIGIN`` to ``DENY``.
 
 When using the middleware there may be some views where you do **not** want the
 ``X-Frame-Options`` header set. For those cases, you can use a view decorator
@@ -116,6 +121,7 @@ Browsers that support ``X-Frame-Options``
 -----------------------------------------
 
 * Internet Explorer 8+
+* Edge
 * Firefox 3.6.9+
 * Opera 10.5+
 * Safari 4+

docs/ref/settings.txt

@@ -2795,12 +2795,15 @@ and :setting:`MONTH_DAY_FORMAT`.
 ``X_FRAME_OPTIONS``
 -------------------
 
-Default: ``'SAMEORIGIN'``
+Default: ``'DENY'``
 
 The default value for the X-Frame-Options header used by
 :class:`~django.middleware.clickjacking.XFrameOptionsMiddleware`. See the
 :doc:`clickjacking protection </ref/clickjacking/>` documentation.
 
+.. versionchanged:: 3.0
+
+    In older versions, the default value is ``SAMEORIGIN``.
 
 Auth
 ====

docs/releases/3.0.txt

@@ -535,6 +535,15 @@ upload handler is used.
 ``FILE_UPLOAD_PERMISSION`` now defaults to ``0o644`` to avoid this
 inconsistency.
 
+New default value for the ``X_FRAME_OPTIONS`` setting
+-----------------------------------------------------
+
+In older versions, the :setting:`X_FRAME_OPTIONS` setting defaults to
+``'SAMEORIGIN'``. To make Django projects more secure by default,
+:setting:`X_FRAME_OPTIONS` now defaults to ``'DENY'``. If your site uses frames
+of itself, you will need to explicitly set ``X_FRAME_ORIGINS = 'SAMEORIGIN'``
+for them to continue working.
+
 Miscellaneous
 -------------
 

tests/middleware/tests.py

@@ -621,12 +621,12 @@ class XFrameOptionsMiddlewareTest(SimpleTestCase):
     def test_defaults_sameorigin(self):
         """
         If the X_FRAME_OPTIONS setting is not set then it defaults to
-        SAMEORIGIN.
+        DENY.
         """
         with override_settings(X_FRAME_OPTIONS=None):
             del settings.X_FRAME_OPTIONS    # restored by override_settings
             r = XFrameOptionsMiddleware().process_response(HttpRequest(), HttpResponse())
-            self.assertEqual(r['X-Frame-Options'], 'SAMEORIGIN')
+            self.assertEqual(r['X-Frame-Options'], 'DENY')
 
     def test_dont_set_if_set(self):
         """

tests/project_template/test_settings.py

@@ -39,5 +39,5 @@ class TestStartProjectSettings(SimpleTestCase):
                 b'Content-Length: 0',
                 b'Content-Type: text/html; charset=utf-8',
                 b'X-Content-Type-Options: nosniff',
-                b'X-Frame-Options: SAMEORIGIN',
+                b'X-Frame-Options: DENY',
             ])