django-sri 0.1.1

Subresource Integrity for Django

Django SRI

Subresource Integrity for Django.

Installation

pip install django-sri

And add sri to your INSTALLED_APPS.

Usage

django-sri is designed to be used through template tags:

{% load sri %}

{% sri "index.js" %} <!-- Will output "<script src='/static/index.js' integrity='sha256-...'></script>" -->
{% sri "index.css" %} <!-- Will output "<link rel='stylesheet' href='/static/index.css' integrity='sha256-...'/>" -->

Specific tags are also available:

{% load sri %}

{% sri_js "index.js" %} <!-- Will output "<script src='/static/index.js' integrity='sha256-...'></script>" -->
{% sri_css "index.css" %} <!-- Will output "<link rel='stylesheet' href='/static/index.css' integrity='sha256-...'/>" -->

For performance, the hashes of files are cached in memory using lru_cache for future requests.

Note: By default, integrity hashes are not output when DEBUG is True, as static files change a lot during local development. To override this, set USE_SRI to True.

Algorithms

The SRI standard supports 3 algorithms: sha256, sha384 and sha512. By default, SHA256 is used. To override this, supply an additional argument to the sri template tag (or the specific ones):

{% load sri %}

{% sri "index.js" "sha512" %} <!-- Will output "<script src='/static/index.js' integrity='sha512-...'></script>" -->

The default algorithm can be changed by setting SRI_ALGORITHM to the required algorithm.

Just the integrity value

To retrieve just the integrity hash (the contents of the integrity attribute), you can use the {% sri_integrity %} tag, which supports the same arguments as the other tags.

"Does this work with whitenoise or alike?"

Yes. django-sri outputs the static file URL in the same way the builtin static template tag does. This means the correct cachebusted URLs are output.