Provides a powerful interface to CSP headers for Django applications.
Project description
django-csp-advanced 
A powerful Content-Security-Policy (CSP) middleware for Django. This CSP middleware supports
using a dictionary syntax for CSP, and using callables taking arguments (request, response)
to fill in parts of the dictionary.
For example, the following settings.py configuration:
ADVANCED_CSP = {
'block-all-mixed-content': True,
'frame-src': ['none'],
'plugin-types': ['application/pdf'],
'report-uri': '/dev/null',
'sandbox': ['allow-scripts'],
'script-src': ['self', 'https://dmoj.ca'],
'style-src': lambda request, response: ['self'],
'upgrade-insecure-requests': False,
}
generates this CSP (order may differ based on dictionary hashing):
style-src 'self'; script-src 'self' https://dmoj.ca; frame-src 'none'; plugin-types application/pdf; block-all-mixed-content; sandbox allow-scripts; report-uri /dev/null
Another feature is the ability to augment or replace the CSP from views:
def view(request):
response = HttpResponse()
response.csp = {'script-src': ['https://ajax.googleapis.com']}
return response
This will add https://ajax.googleapis.com to the list of origins listed for script-src to result in something like:
...; script-src 'self' https://dmoj.ca https://ajax.googleapis.com; ...
You can use 'override': True to replace the CSP instead:
def view(request):
response = HttpResponse()
response.csp = {'script-src': ['self'], 'override': True}
return response
This will replace the CSP with script-src 'self'.
You can also set csp_report on the response to add entry to the report-only CSP.
Note that neither csp or csp_report has any effect if their global version is disabled.
However, csp will be used to populate Content-Security-Policy-Report-Only if there is
no enforced CSP policy configured, but there is a report-only policy.
Installation
First, install the module with:
$ pip install django-csp-advanced
Or if you want the latest bleeding edge version:
$ pip install -e git://github.com/quantum5/django-csp-advanced.git
Then, add 'csp_advanced' to INSTALLED_APPS and 'csp_advanced.middleware.AdvancedCSPMiddleware'
to 'MIDDLEWARE' or 'MIDDLEWARE_CLASSES' depending on your setup.
Finally, use either a dictionary or a callable taking request, response as either
ADVANCED_CSP or ADVANCED_CSP_REPORT_ONLY.
Examples:
ADVANCED_CSP = lambda request, response: {'script-src': ['self']}
ADVANCED_CSP_REPORT_ONLY = {'script-src': ['self']}
ADVANCED_CSP = {'style-src': lambda request, response: ['self']}
You get the idea.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file django-csp-advanced-0.1.0.tar.gz.
File metadata
- Download URL: django-csp-advanced-0.1.0.tar.gz
- Upload date:
- Size: 8.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.3.0 pkginfo/1.4.2 requests/2.25.1 setuptools/52.0.0 requests-toolbelt/0.9.1 tqdm/4.57.0 CPython/3.9.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c1fac7121b5df4fb5b99caf07de3cf4e0e12f3fe96e13585c392a21eaece0c8c |
|
| MD5 | d3eaba0847e2735caca4fcbb7c902e63 |
|
| BLAKE2b-256 | 6d20b574c98d9ff12a71ca9e9a30f264b8670609c2a1af89b6e2575c9df1ee6d |
File details
Details for the file django_csp_advanced-0.1.0-py3-none-any.whl.
File metadata
- Download URL: django_csp_advanced-0.1.0-py3-none-any.whl
- Upload date:
- Size: 8.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.3.0 pkginfo/1.4.2 requests/2.25.1 setuptools/52.0.0 requests-toolbelt/0.9.1 tqdm/4.57.0 CPython/3.9.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 97c1a115426eec6dd91544850625ff2de88fd1207aea453107e8a29fae05e0ae |
|
| MD5 | efc8714fa267af12f158f9830cad48f7 |
|
| BLAKE2b-256 | 7a7708b7e655d569f6956547922266ea8ed7be0a2c76518c305b42bb1a91fe34 |
