search

devilry / trix2

Next generation Trix. Detailed task control and statistics app for better learning outcome.
BSD 3-Clause "New" or "Revised" License
2 stars 3 forks source link

Remove `X-Frame-Options` from default settings #140

Closed torgeirl closed 7 months ago

torgeirl commented 10 months ago

The default settings sets the X-Frame-Options HTTP headers to 'DENY':

# https://docs.djangoproject.com/en/1.11/ref/clickjacking/
X_FRAME_OPTIONS = 'DENY'

The X-Frame-Options is more or less obsolete now, and the reason to include it would mostly be to satisfy outdated security scanners. It is overridden by frame-ancestors in Content Security Policy (CSP), but there is little point of setting in the backend instead of adding in with the proxy layer.

Workarounds a) it can be changed from 'DENY' to 'SAMEORIGIN' by overwriting X_FRAME_OPTIONS in trix_settings.py.

b) to remove it, it has to be stripped away by the proxy, ie. applying the following in Nginx's location block:

        server {
            ..
            location / {
               proxy_pass http://127.0.0.1:8002;
               ..

               proxy_hide_header X-Frame-Options;
               ..
            }
        }
Levijatan commented 7 months ago

Removed in cdcc742