Skip to main content

Set the draft security HTTP header Feature-Policy on your Django app.

Project description


Set the draft security HTTP header Feature-Policy on your Django app.


Python 3.5 to 3.8 supported.

Django 2.0 to 3.0 supported.


Install with pip:

python -m pip install django-feature-policy

Then add the middleware, best after Django’s SecurityMiddleware as it does similar addition of security headers that you’ll want on every response:


By default no header will be set, configure the setting as below.


Change the FEATURE_POLICY setting to configure what Feature-Policy header gets set.

This should be a dictionary laid out with:

  • Keys as the names of browser features - a full list is available on the W3 Spec repository. The MDN article is also worth reading.
  • Values as lists of strings, where each string is either an origin, e.g. '', or of the special values 'self', 'none', or '*'. If there is just one value, no containing list is necessary. Note that in the header, special values like 'none' include single quotes around them - do not include these quotes in your Python string, they will be added by the middleware.

If the keys or values are invalid, ImproperlyConfigured will be raised at instantiation time, or when processing a response. The current feature list is pulled from the JavaScript API with document.featurePolicy.allowedFeatures() on Chrome.


Disable geolocation from running in the current page and any iframe:

    'geolocation': 'none',

Allow autoplay from the current origin and iframes from

    'autoplay': ['self', ''],


3.4.0 (2020-04-09)

  • Updated to the latest set of features from Chrome 83.

    New features:

    • ch-ua-full-version
    • screen-wake-lock

    Removed features:

    • font-display-late-swap
    • oversized-images
    • unoptimized-lossless-images
    • unoptimized-lossless-images-strict
    • unoptimized-lossy-images
    • unsized-media
    • wake-lock
  • Added Django 3.1 support.

3.3.0 (2020-04-09)

  • Dropped Django 1.11 support. Only Django 2.0+ is supported now.
  • Updated to the latest set of features from Chrome 81. This adds ‘ch-ua-mobile’, removes ‘document-access’, and ‘vr’, and renames ‘downloads-without-user-activation’ to ‘downloads’.

3.2.0 (2020-01-19)

  • Updated to the latest set of features from Chrome. This adds 2 new features: ‘document-access’ and ‘xr-spatial-tracking’. This also removes the ‘speaker’ since it has now been removed from the w3c specification.

3.1.0 (2019-11-15)

  • Updated to the latest set of features from Chrome. This adds 17 new features: ‘ch-device-memory’, ‘ch-downlink’, ‘ch-dpr’, ‘ch-ect’, ‘ch-lang’, ‘ch-rtt’, ‘ch-ua’, ‘ch-ua-arch’, ‘ch-ua-model’, ‘ch-ua-platform’, ‘ch-viewport-width’, ‘ch-width’, ‘execution-while-not-rendered’, and ‘execution-while-out-of-viewport’. Chrome has also removed support for ‘speaker’ but since this is still in the specification, it has been left.
  • Converted setuptools metadata to configuration file. This meant removing the __version__ attribute from the package. If you want to inspect the installed version, use importlib.metadata.version("django-feature-policy") (docs / backport).
  • Suport Python 3.8.

3.0.0 (2019-08-02)

  • Updated to the latest set of features from Chrome. This removes ‘legacy-image-formats’ and ‘unoptimized-images’, and adds 17 new features: ‘downloads-without-user-activation’, ‘focus-without-user-activation’, ‘forms’, ‘hid’, ‘idle-detection’, ‘loading-frame-default-eager’, ‘modals’, ‘orientation-lock’, ‘pointer-lock’, ‘popups’, ‘presentation’, ‘scripts’, ‘serial’, ‘top-navigation’, ‘unoptimized-lossless-images’, ‘unoptimized-lossless-images-strict’ and ‘unoptimized-lossy-images’. Note that most of these are still experimental as can be seen on the [W3C feature list](
  • Stop marking the distributed wheel as universal. Python 2 was never supported so the wheel was never actually universal.

2.3.0 (2019-05-19)

  • Update Python support to 3.5-3.7, as 3.4 has reached its end of life.
  • Make the generated header deterministic by iterating the settings dict in sorted order.
  • Support Django 1.11 for completeness.

2.2.0 (2019-05-08)

  • Fix interpretation of ‘*’ by not automatically adding quotes.
  • Optimize header generation to reduce impact on every request.

2.1.0 (2019-04-28)

  • Tested on Django 2.2. No changes were needed for compatibility.

2.0.0 (2019-03-29)

  • Updated to the latest set of features from Chrome. ‘animations’, ‘image-compression’, and ‘max-downscaling-image’ have been removed, whilst ‘document-domain’, ‘font-display-late-swap’, ‘layout-animations’, ‘oversized-images’, ‘unoptimized-images’, and ‘wake-lock’ have been added. See more at .

1.0.1 (2019-01-02)

1.0.0 (2018-10-24)

  • First release, supporting adding the header with a middleware.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for django-feature-policy, version 3.4.0
Filename, size File type Python version Upload date Hashes
Filename, size django_feature_policy-3.4.0-py3-none-any.whl (6.0 kB) File type Wheel Python version py3 Upload date Hashes View
Filename, size django-feature-policy-3.4.0.tar.gz (10.5 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page