A developer tries to set X_FRAME_OPTIONS = 'DENY' but still allows framing from their own domain. What is a likely cause?

medium📝 Debug Q7 of 15

Django - Security Best Practices

AThe developer's browser cache is outdated and needs clearing

BThe browser ignores X-Frame-Options if Content-Security-Policy frame-ancestors is set

CThe middleware was removed from MIDDLEWARE list

DThe developer set X_FRAME_OPTIONS in the wrong settings file

Step-by-Step Solution

Solution:

Step 1: Understand browser header precedence
Content-Security-Policy's frame-ancestors can override X-Frame-Options behavior.
Step 2: Identify conflict cause
If frame-ancestors allows framing, X-Frame-Options DENY may be ignored by browsers.
Final Answer:
The browser ignores X-Frame-Options if Content-Security-Policy frame-ancestors is set -> Option B
Quick Check:
frame-ancestors overrides X-Frame-Options in browsers [OK]

Quick Trick: Content-Security-Policy frame-ancestors overrides X-Frame-Options [OK]

Common Mistakes:

MISTAKES

Master "Security Best Practices" in Django

9 interactive learning modes - each teaches the same concept differently

Want More Practice?

15+ quiz questions · All difficulty levels · Free

More Django Quizzes