How to use Content-Security-Policy to disable header " X-Frame-Options: deny "?

I created a website in Django that I deployed on heroku. I am trying to display this website from an html page using an iframe. However, when I load my html page, I get the error: gkwhelps.herokuapp.com refused the connection. And when inspecting the page I get the following message:Refused to display 'http://gkwhelps.herokuapp.com/' in a frame because it set 'X-Frame-Options' to 'deny'. To solve this problem, I modified my settings.py like this:


MIDDLEWARE = [
    ...
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]

     ...

from django.http import HttpResponse
from django.views.decorators.clickjacking import xframe_options_exempt

@xframe_options_exempt
def ok_to_load_in_a_frame(request):
    return HttpResponse("This page is safe to load in a frame on any site.")

and I updated my site. But despite this, I still get the same error when I reload my page. I don't know why yet I updated my site.

You can try the following for setting same origin xframe option

from django.views.decorators.clickjacking import xframe_options_sameorigin

@xframe_options_sameorigin
def ok_to_load_in_a_frame(request):
    return HttpResponse("This page is safe to load in a frame on any site.")

If you want to set it for your whole app, you could try adding the below line in your settings.py file

X_FRAME_OPTIONS = 'SAMEORIGIN'
Back to Top