Skip to main content

Adds middleware to give some added protection against the BREACH attack in Django.

Project description

Extra mitigation against the BREACH attack for Django projects.

django-debreach provides additional protection to Django’s built in CSRF token masking by randomising the content length of each response. This is achieved by adding a random string of between 12 and 25 characters as a comment to the end of the HTML content. Note that this will only be applied to responses with a content type of text/html.

When combined with the built-in mitigations in Django and rate limiting (either in your web-server, or by using something like django-ratelimit), the techniques here should provide a fairly comprehensive protection against the BREACH attack.

PyPI Build status Coverage

Installation & Usage

Install from PyPI using:

$ pip install django-debreach

To enable content length modification for all responses, add the debreach.middleware.RandomCommentMiddleware to the start of your middleware, but after the GzipMiddleware if you are using that.:

MIDDLEWARE_CLASSES = (
    'debreach.middleware.RandomCommentMiddleware',
    ...
)

or:

MIDDLEWARE_CLASSES = (
    'django.middleware.gzip.GzipMiddleware',
    'debreach.middleware.RandomCommentMiddleware',
    ...
)

If you wish to disable this feature for selected views, simply apply the debreach.decorators.random_comment_exempt decorator to the view.

If you only want to protect a subset of views with content length modification then it may be easier to not use the middleware, but to selectively apply the debreach.decorators.append_random_comment decorator to the views you want protected.

Python 2 and Django < 2.0 support

Version 2.0.0 drops all support for Python 2 and Django < 2.0. If you need support for those versions continue using django-debreach>=1.5.2,<2.0.

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-debreach-2.1.0.tar.gz (15.6 kB view hashes)

Uploaded source

Built Distribution

django_debreach-2.1.0-py3-none-any.whl (7.7 kB view hashes)

Uploaded py3

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page