A Django app that evaluates CSP reports to identify malicious activity.
Project description
CSP Observer
CSP Observer is a Django app that monitors incoming Content Security Policy (CSP) reports for your site. It tries to detect security/privacy issues and notifies your visitors.
Installation
- In
settings.py
add "csp_observer" to yourINSTALLED_APPS
:INSTALLED_APPS = [ ... 'csp_observer', ]
- Also in
settings.py
add the following entry toMIDDLEWARE
:MIDDLEWARE = [ ... 'csp_observer.middleware.CspReportMiddleware', ]
- Include the url configuration in your
urls.py
:from django.urls import path, include urlpatterns = [ ... path('csp/', include('csp_observer.urls')), ]
- Run
python manage.py migrate
to create the necessary database tables. - The basic installation is finished! View the Configuration section for more information on how to configure the app.
Admin Interface
A basic administration interface is available under /csp/admin
Commands
List of commands integrated into manage.py:
Command | Description |
---|---|
cleansessions |
Removes old sessions and reports from the database. Should be run regularly. |
updaterules |
Updates the rules from the central rule repository. |
Configuration
Overview of all available settings and their default values:
Setting | Default | Description |
---|---|---|
REPORT_ONLY | True |
Wether to enforce the CSP rules or only report them. |
ENABLED_PATHS | ["/"] |
An array of paths for which the CSP header should be set. |
CSP_POLICIES | {'default-src': ["'self'"],'script-src': ["'self'", "'unsafe-inline'"],'connect-src': ["'self'"],} |
A disctionary of CSP policies that should be applied. Key is the name of the directive and value is a list of expressions. |
USE_NEW_API | False |
Whether to enable the new Reporting API or use the old report-uri directive |
USE_SCRIPT_NONCE | True |
Add nonce to all script tags to catch inline script violations |
USE_STYLE_NONCE | True |
Add nonce to all style tags to catch inline style violations |
SESSION_KEEP_DAYS | 14 |
The number of days sessions should be kept in the database. |
IS_MASTER_COLLECTOR | False |
Indicates if the instance should function as a central collector of CSP reports for multiple other instances. |
AUTHORIZED_REPORTERS | [] |
A list of domains that are allowed send their CSP reports to the master. Example: ['http://127.0.0.1:8000', 'https://example.com'] |
REMOTE_SECRET | '' |
A shared secret that must be the same for the master collector and all reporters. |
REMOTE_REPORTING | False |
Wether to use a central remote collector or not. |
REMOTE_CSP_OBSERVER_URL | '' |
The URL of the remote collector instance. Must be the path to the csp_observer app, as defined in urls.py. Example: http://example.com/csp |
CLIENTUI_VISIBILITY | always |
Choose if the client popup should always be visible (always ) or only if a problem has been detected (minimized ) |
RULE_UPDATE_FILE | https://raw.githubusercontent.com/flxn/csp-observer-data/master/rules.json |
The path to the file that contains the global rule database |
RULE_UPDATE_INTERVAL | 21600 |
The minimum number of seconds before a new rule update is allowed |
VOLUNTARY_DATA_SHARING_URL | https://csp-observer-reports.flxn.de |
The URL that the unknown report data of the data sharing is sent to. |
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
django-csp-observer-1.0.tar.gz
(260.1 kB
view hashes)
Built Distribution
Close
Hashes for django_csp_observer-1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 918211b43f5213601463f0938c8561ca1a160cf73ba04362122472726cb8c323 |
|
MD5 | 0620e8d10764df3378b5c66a89bebed3 |
|
BLAKE2b-256 | cd4db4f8b6f58f49ef22cc1f320a3e477ff5f951f58825430b7d366e1ffffda3 |