Django Content Security Policy support.
Project description
django-simple-csp
A simple Middleware for adding CSP headers and nonces in Django
Usage
Requires Django >=1.10
Add it to the INSTALLED_APPS settings variable:
INSTALLED_APPS = [ ... 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', ... 'django_simple_csp' ... ]
Add it to MIDDLEWARE (not MIDDLEWARE_CLASSES):
MIDDLEWARE = [ ... 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... 'django-simple-csp.middleware.csp.CSPMiddleware', ... ]
CSS
TODO: remove hash from the name of tag?
Example use of hashed inline style:
{% load csp %} {% csp_css_hash %} td.style-class { background-color: red; } {% end_csp_css_hash %}
usage inside of style=”…” attributes is not supported by chromium for now.
Javascript
Nonces
TODO: Change to hashes?
Example:
{% load csp %} <script nonce={% csp_js_nonce %}> alert("bla") </script>
Config Values
CSP_REPORT_URL = “” The URl CSP errors should be reported to, set to “” if not used, or do not define it.
CSP_REPORT_ONLY = True Set the header to just report CSP errors do not enforce the CSP. Defaults to True.
CSP_ADDITIONAL_SCRIPT_SRC = [] List of additional hosts javascript is allowed to be loaded from
CSP_ADDITIONAL_STYLE_SRC = [] List of additional hosts CSS is allowed to be loaded from
CSP_ADDITIONAL_IMG_SRC = [] List of additional hosts images is allowed to be loaded from
Upgrades
From < 0.3
‘django-simple-csp’ has to be changed into ‘django_simple_csp’ in th INSTALLED_APPS in Django settings.py
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-simple-csp-0.3.dev1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | fbb67d73645bb1c7af3b0295b0edcf0a4f934d6edce3d96505f1041376ddeea8 |
|
MD5 | 63fb3016c8ad77b3bc86309181841683 |
|
BLAKE2b-256 | aa1700c8933e9beae61e4bfcbe3b36c7452547297a498f124939c4034bfdf378 |
Hashes for django_simple_csp-0.3.dev1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d17ee2a0267a0ad08a0ad2ad6bbfe734328391570343e46014080ca9c512c866 |
|
MD5 | 958ae777f8f1a44e880afcc9ce0de7da |
|
BLAKE2b-256 | 2df99fcab7a8f740149c2403c1f5f44f927c25caea73232187419dae9b9df198 |