Django Content Security Policy support.
Project description
django-simple-csp
A simple Middleware for adding CSP headers and nonces in Django
Usage
Requires Django >=1.10
Add it to the INSTALLED_APPS settings variable:
INSTALLED_APPS = [
...
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
...
'django_simple_csp'
...
]
Add it to MIDDLEWARE (not MIDDLEWARE_CLASSES):
MIDDLEWARE = [
...
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
...
'django-simple-csp.middleware.csp.CSPMiddleware',
...
]
CSS
TODO: remove hash from the name of tag?
Example use of hashed inline style:
{% load csp %}
{% csp_css_hash %}
td.style-class {
background-color: red;
}
{% end_csp_css_hash %}
usage inside of style=”…” attributes is not supported by chromium for now.
Javascript
Nonces
TODO: Change to hashes?
Example:
{% load csp %}
<script nonce={% csp_js_nonce %}>
alert("bla")
</script>
Config Values
CSP_REPORT_URL = “” The URl CSP errors should be reported to, set to “” if not used, or do not define it.
CSP_REPORT_ONLY = True Set the header to just report CSP errors do not enforce the CSP. Defaults to True.
CSP_ADDITIONAL_SCRIPT_SRC = [] List of additional hosts javascript is allowed to be loaded from
CSP_ADDITIONAL_STYLE_SRC = [] List of additional hosts CSS is allowed to be loaded from
CSP_ADDITIONAL_IMG_SRC = [] List of additional hosts images is allowed to be loaded from
CSP_ADDITIONAL_DEFAULT_SRC = [] List of additional hosts all other resources are allowed to be loaded from
Upgrades
From < 0.3
‘django-simple-csp’ has to be changed into ‘django_simple_csp’ in th INSTALLED_APPS in Django settings.py
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file django-simple-csp-0.4.dev1.tar.gz.
File metadata
- Download URL: django-simple-csp-0.4.dev1.tar.gz
- Upload date:
- Size: 4.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 2abf2382bdcc575d24d2c8afec532b9ed20196d1ae9825bf5cc03a02f6b1965d |
|
| MD5 | 7d435e3c0a684422587ae5a68bacdc3d |
|
| BLAKE2b-256 | a3a8e58da815b20aa08f6a1c62cde311660ab5e93f41c40cea9cb2f8fcc48c1f |
File details
Details for the file django_simple_csp-0.4.dev1-py3-none-any.whl.
File metadata
- Download URL: django_simple_csp-0.4.dev1-py3-none-any.whl
- Upload date:
- Size: 5.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.11.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6aa4a3f660b3e26f680cf983e18d59e692b4d87353412626676999cf14e8a992 |
|
| MD5 | 6cf6984d2d1c7299b088de3f49738e7e |
|
| BLAKE2b-256 | e38b38cf0058729e6fa1d5a59a0ed9308c84c8ea342e538d650df0dd09800865 |
