Django Content Security Policy support.
Project description
django-simple-csp
A simple Middleware for adding CSP headers and nonces in Django
Usage
Requires Django >=1.10
Add it to the INSTALLED_APPS settings variable:
INSTALLED_APPS = [ ... 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', ... 'django-simple-csp' ... ]
Add it to MIDDLEWARE (not MIDDLEWARE_CLASSES):
MIDDLEWARE = [ ... 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... 'django-simple-csp.middleware.csp.CSPMiddleware', ... ]
CSS
TODO: remove hash from the name of tag?
Example use of hashed inline style:
{% load csp %} {% csp_css_hash %} td.style-class { background-color: red; } {% end_csp_css_hash %}
usage inside of style=”…” attributes is not supported by chromium for now.
Javascript
Nonces
TODO: Change to hashes?
Example:
{% load csp %} <script nonce={% csp_js_nonce %}> alert("bla") </script>
Config Values
CSP_REPORT_URL = “” The URl CSP errors should be reportet to, set to “” if not used, or do not define it.
CSP_REPORT_ONLY = True Set the header to just report CSP errors do not enforce the CSP. Defaults to True.
CSP_ADDITIONAL_SCRIPT_SRC = [] List of additional hosts javascript is allowed to be loaded from
CSP_ADDITIONAL_STYLE_SRC = [] List of additional hosts CSS is allowed to be loaded from
CSP_ADDITIONAL_IMG_SRC = [] List of additional hosts images is allowed to be loaded from
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-simple-csp-0.2.dev1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | efbabff79de751b4aac99be2557867edf9cf07d7ccbb305e7701f650ac348df1 |
|
MD5 | 124956a6b7272a2fde3b301c87294135 |
|
BLAKE2b-256 | 2752b6a8c7647546376ec27c6f989bbf381ab6cc6b10a3a52c69d82c9bdda984 |
Hashes for django_simple_csp-0.2.dev1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 80f4e2ab77f0ce65da54e278d0b596e1881bf9d7c0f2654bc699ff89d2df8251 |
|
MD5 | 0551491527cf025d91a6c9cade56c32d |
|
BLAKE2b-256 | e8a8edb30baba400d9a16b37d64df990b27cfff85d8cc0e342b0add8c6ec4993 |