Adds middleware to give some added protection against the BREACH attack in Django.
Project description
Extra mitigation against the BREACH attack for Django projects.
django-debreach provides additional protection to Django’s built in CSRF token masking by randomising the content length of each response. This is achieved by adding a random string of between 12 and 25 characters as a comment to the end of the HTML content. Note that this will only be applied to responses with a content type of text/html.
When combined with the built-in mitigations in Django and rate limiting (either in your web-server, or by using something like django-ratelimit), the techniques here should provide a fairly comprehensive protection against the BREACH attack.
Installation & Usage
Install from PyPI using:
$ pip install django-debreach
To enable content length modification for all responses, add the debreach.middleware.RandomCommentMiddleware to the start of your middleware, but after the GzipMiddleware if you are using that.:
MIDDLEWARE_CLASSES = ( 'debreach.middleware.RandomCommentMiddleware', ... )
or:
MIDDLEWARE_CLASSES = ( 'django.middleware.gzip.GzipMiddleware', 'debreach.middleware.RandomCommentMiddleware', ... )
If you wish to disable this feature for selected views, simply apply the debreach.decorators.random_comment_exempt decorator to the view.
If you only want to protect a subset of views with content length modification then it may be easier to not use the middleware, but to selectively apply the debreach.decorators.append_random_comment decorator to the views you want protected.
Python 2 and Django < 2.0 support
Version 2.0.0 drops all support for Python 2 and Django < 2.0. If you need support for those versions continue using django-debreach>=1.5.2,<2.0.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django_debreach-2.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 03988a228a387ec4a2d332698ad610913d32dbcad672cf5a78842639bfeece6b |
|
MD5 | 419528f4fb79e15fa7d0e1395fd4b70c |
|
BLAKE2b-256 | 366c8b451b1fc650f7a4336e03a5a56d555f823b6b94f1468728d650ef4d42e1 |