Django Content Security Policy support.
Project description
django-simple-csp
A simple Middleware for adding CSP headers and nonces in Django
Usage
Requires Django >=1.10
Add it to the INSTALLED_APPS settings variable:
INSTALLED_APPS = [ ... 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', ... 'django-simple-csp' ... ]
Add it to MIDDLEWARE (not MIDDLEWARE_CLASSES):
MIDDLEWARE = [ ... 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... 'django-simple-csp.middleware.csp.CSPMiddleware', ... ]
CSS
TODO: remove hash from the name of tag?
Example use of hashed inline style:
{% load csp %} {% csp_css_hash %} td.style-class { background-color: red; } {% end_csp_css_hash %}
usage inside of style=”…” attributes is not supported by chromium for now.
Javascript
Nonces
TODO: Change to hashes?
Example:
{% load csp %} <script nonce={% csp_js_nonce %}> alert("bla") </script>
Config Values
CSP_REPORT_URL = “” The URl CSP errors should be reportet to, set to “” if not used, or do not define it.
CSP_REPORT_ONLY = True Set the header to just report CSP errors do not enforce the CSP. Defaults to True.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for django-simple-csp-0.1.dev2.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | b825ae1e101bb60a882429f5696d647e768b4cb7c8f0991ef6bb83ba598f26dc |
|
MD5 | 4cff07fa7e5b62831d9ddbc6fada8289 |
|
BLAKE2b-256 | de39395bb0ee28ce3cd7e18521afae4dd8b689ab0de26b9279326eebb53de15c |
Close
Hashes for django_simple_csp-0.1.dev2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 144fe12e07ba2acda916533df9eb8c323f2e1494484f4d29227709a4d7e1df31 |
|
MD5 | 7996345f2f592d6f8a8567f9d2a4d900 |
|
BLAKE2b-256 | 3c50bbc4422cdf49501de7b0e00084b1910f5b5094a3c98c09f52292dc0c77d5 |