Comment 2 for bug 1118327

Django actually has a middleware for exactly this purpose: https://docs.djangoproject.com/en/dev/ref/clickjacking/

It sets the X-FRAME_OPTIONS header. We should use it. A patch to enable it by default is more than welcome. The patch would ideally include mention of why this is important in the "Deployment Considerations" section of the docs, too.

I definitely don't see this as something that requires a security release or advisory, but shipping Grizzly with it in the default recommended settings is definitely the way to go.