It sets the X-FRAME_OPTIONS header. We should use it. A patch to enable it by default is more than welcome. The patch would ideally include mention of why this is important in the "Deployment Considerations" section of the docs, too.
I definitely don't see this as something that requires a security release or advisory, but shipping Grizzly with it in the default recommended settings is definitely the way to go.
Django actually has a middleware for exactly this purpose: https:/ /docs.djangopro ject.com/ en/dev/ ref/clickjackin g/
It sets the X-FRAME_OPTIONS header. We should use it. A patch to enable it by default is more than welcome. The patch would ideally include mention of why this is important in the "Deployment Considerations" section of the docs, too.
I definitely don't see this as something that requires a security release or advisory, but shipping Grizzly with it in the default recommended settings is definitely the way to go.