Provides a powerful interface to CSP headers for Django applications.
Project description
django-csp-advanced
A powerful Content-Security-Policy
(CSP) middleware for Django. This CSP middleware supports
using a dictionary syntax for CSP, and using callables taking arguments (request, response)
to fill in parts of the dictionary.
For example, the following settings.py
configuration:
ADVANCED_CSP = {
'block-all-mixed-content': True,
'frame-src': ['none'],
'plugin-types': ['application/pdf'],
'report-uri': '/dev/null',
'sandbox': ['allow-scripts'],
'script-src': ['self', 'https://dmoj.ca'],
'style-src': lambda request, response: ['self'],
'upgrade-insecure-requests': False,
}
generates this CSP (order may differ based on dictionary hashing):
style-src 'self'; script-src 'self' https://dmoj.ca; frame-src 'none'; plugin-types application/pdf; block-all-mixed-content; sandbox allow-scripts; report-uri /dev/null
Another feature is the ability to augment or replace the CSP from views:
def view(request):
response = HttpResponse()
response.csp = {'script-src': ['https://ajax.googleapis.com']}
return response
This will add https://ajax.googleapis.com
to the list of origins listed for script-src
to result in something like:
...; script-src 'self' https://dmoj.ca https://ajax.googleapis.com; ...
You can use 'override': True
to replace the CSP instead:
def view(request):
response = HttpResponse()
response.csp = {'script-src': ['self'], 'override': True}
return response
This will replace the CSP with script-src 'self'
.
You can also set csp_report
on the response to add entry to the report-only CSP.
Note that neither csp
or csp_report
has any effect if their global version is disabled.
However, csp
will be used to populate Content-Security-Policy-Report-Only
if there is
no enforced CSP policy configured, but there is a report-only policy.
Installation
First, install the module with:
$ pip install django-csp-advanced
Or if you want the latest bleeding edge version:
$ pip install -e git://github.com/quantum5/django-csp-advanced.git
Then, add 'csp_advanced'
to INSTALLED_APPS
and 'csp_advanced.middleware.AdvancedCSPMiddleware'
to 'MIDDLEWARE'
or 'MIDDLEWARE_CLASSES'
depending on your setup.
Finally, use either a dictionary or a callable taking request, response
as either
ADVANCED_CSP
or ADVANCED_CSP_REPORT_ONLY
.
Examples:
ADVANCED_CSP = lambda request, response: {'script-src': ['self']}
ADVANCED_CSP_REPORT_ONLY = {'script-src': ['self']}
ADVANCED_CSP = {'style-src': lambda request, response: ['self']}
You get the idea.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-csp-advanced-0.1.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | c1fac7121b5df4fb5b99caf07de3cf4e0e12f3fe96e13585c392a21eaece0c8c |
|
MD5 | d3eaba0847e2735caca4fcbb7c902e63 |
|
BLAKE2b-256 | 6d20b574c98d9ff12a71ca9e9a30f264b8670609c2a1af89b6e2575c9df1ee6d |
Hashes for django_csp_advanced-0.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 97c1a115426eec6dd91544850625ff2de88fd1207aea453107e8a29fae05e0ae |
|
MD5 | efc8714fa267af12f158f9830cad48f7 |
|
BLAKE2b-256 | 7a7708b7e655d569f6956547922266ea8ed7be0a2c76518c305b42bb1a91fe34 |