Skip to main content

A collection of tools to help secure a Django project. update 2.1.4. mod for pwdExpiry

Project description


Build Status

This package offers a number of models, views, middlewares and forms to facilitate security hardening of Django applications.

Full documentation

Automatically generated documentation of django-security is available on Read The Docs:


  • Python >= 2.7
  • Django >= 1.8

For Django < 1.8 use django-security==0.9.4.


Install from Python packages repository:

pip install django-security

If you prefer the latest development version, install from django-security repository on GitHub:

git clone
cd django-security
sudo python install

Adding to Django application's file:


Pre-Django 1.10, middleware modules can be added to MIDDLEWARE_CLASSES list in settings file:


After Django 1.10, middleware modules can be added to MIDDLEWARE list in settings file:


Unlike the modules listed above, some other modules require configuration settings, fully described in django-security documentation. Brief description is provided below.


Provided middleware modules will modify web application's output and input and in most cases requires no or minimum configuration.

Middleware Description Configuration
ContentNoSniff Disable possibly insecure autodetection of MIME types in browsers. Recommended. None.
ContentSecurityPolicyMiddleware Send Content Security Policy (CSP) header in HTTP response. Recommended, requires careful tuning. Required.
DoNotTrackMiddleware Read user browser's DoNotTrack preference and pass it to application. Recommended, requires implementation in views and templates. None.
LoginRequiredMiddleware Requires a user to be authenticated to view any page on the site that hasn't been white listed. Required.
MandatoryPasswordChangeMiddleware Redirects any request from an authenticated user to the password change form if that user's password has expired. Required.
NoConfidentialCachingMiddleware Adds No-Cache and No-Store headers to confidential pages. Required.
P3PPolicyMiddleware Adds the HTTP header attribute specifying compact P3P policy. Required.
SessionExpiryPolicyMiddleware Expire sessions on browser close, and on expiry times stored in the cookie itself. Required.
StrictTransportSecurityMiddleware Enforce SSL/TLS connection and disable plaintext fall-back. Recommended for SSL/TLS sites. Optional.
XFrameOptionsMiddleware Disable framing of the website, mitigating Clickjacking attacks. Recommended. Optional.
XssProtectMiddleware Enforce browser's Cross Site Scripting protection. Recommended. None.



View that allows reception of Content Security Policy violation reports sent by browsers in response to CSP header set by ``ContentSecurityPolicyMiddleware`. This should be used only if long term, continuous CSP report analysis is required. For one time CSP setup CspBuilder is much simpler.

This view can be configured to either log received reports or store them in database. See documentation for details.


A view decorator which ensures that the request being proccessed by view is an AJAX request. Example usage:

def myview(request):



Content Security Policy violation report object. Only makes sense if ContentSecurityPolicyMiddleware and csp_report view are used. With this model, the reports can be then analysed in Django admin site.


Associate a password expiry date with a user.


All django-security modules send important log messages to security facility. The application should configure a handler to receive them:

    'loggers': {
        'security': {
            'handlers': ['console',],
            'level': 'INFO',
            'propagate': False,
            'formatter': 'verbose',

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for django-security-2.0, version 1.0.1
Filename, size File type Python version Upload date Hashes
Filename, size django_security_2.0-1.0.1-py2-none-any.whl (31.1 kB) File type Wheel Python version py2 Upload date Hashes View
Filename, size django-security_2.0-1.0.1.tar.gz (24.1 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page