Coverage for /var/srv/projects/api.amasfac.comuna18.com/tmp/venv/lib/python3.9/site-packages/django/middleware/clickjacking.py: 78%

1"""

2Clickjacking Protection Middleware.

4This module provides a middleware that implements protection against a

5malicious site loading resources from your site in a hidden frame.

6"""

8from django.conf import settings

9from django.utils.deprecation import MiddlewareMixin

12class XFrameOptionsMiddleware(MiddlewareMixin):

13 """

14 Set the X-Frame-Options HTTP header in HTTP responses.

16 Do not set the header if it's already set or if the response contains

17 a xframe_options_exempt value set to True.

19 By default, set the X-Frame-Options header to 'SAMEORIGIN', meaning the

20 response can only be loaded on a frame within the same site. To prevent the

21 response from being loaded in a frame in any site, set X_FRAME_OPTIONS in

22 your project's Django settings to 'DENY'.

23 """

25 def process_response(self, request, response):

26 # Don't set it if it's already in the response

27 if response.get("X-Frame-Options") is not None: 27 ↛ 28line 27 didn't jump to line 28, because the condition on line 27 was never true

28 return response

30 # Don't set it if they used @xframe_options_exempt

31 if getattr(response, "xframe_options_exempt", False): 31 ↛ 32line 31 didn't jump to line 32, because the condition on line 31 was never true

32 return response

34 response.headers["X-Frame-Options"] = self.get_xframe_options_value(

35 request,

36 response,

38 return response

40 def get_xframe_options_value(self, request, response):

41 """

42 Get the value to set for the X_FRAME_OPTIONS header. Use the value from

43 the X_FRAME_OPTIONS setting, or 'DENY' if not set.

45 This method can be overridden if needed, allowing it to vary based on

46 the request or response.

47 """

48 return getattr(settings, "X_FRAME_OPTIONS", "DENY").upper()