Skip to main content

Content Security Policy add-on for Pyramid.

Project description

pyramid-csp

pyramid-csp is a simple Pyramid add-on for adding a Content-Security-Policy header your HTTP responses

For more information on Content Security Policies, see https://content-security-policy.com/

Setup

There are two ways of including pyramid-csp in your application:

The first is adding pyramid_csp to the pyramid.includes section of your application settings.

[app:main]
pyramid.includes = pyramid_csp

The second is using the Configurator.include function.

config.include("pyramid.csp")

Basic Usage

The most basic usage of pyramid-csp is to set the csp.policy setting. This setting should be a valid CSP and will be added to the response headers.

[app:main]
csp.policy = default-src https://example.com
>> curl -i http://localhost:8000
...
Content-Security-Policy: default-src https://example.com
...

You can also create a policy by programmatically adding sources with the add_csp_source configuration method. (This will work in addition to the csp.policy setting.) The first argument is the directive name

config.add_csp_source("default-src", "'self'")
>> curl -i http://localhost:8000
...
Content-Security-Policy: default-src https://example.com 'self'
...

The request object also contains an add_csp_source method, which works the same as the configurator method but will only add the source for that request.

def myview(context, request):
    nonce = secrets.token_urlsafe()
    request.add_csp_source("default-src", f"'nonce-{nonce}'")
    return Response(body="<h1>Hello</h1>", content_type="text/html")

Note: If no sources are defined for the default-src directive, 'none' is automatically added.

Preset Sources

pyramid-src provides the CSPSources object, which contains several preset sources. For example:

from pyramid_csp import CSPSources


def includeme(config):
    config.add_csp_source("default-src", CSPSources.UNSAFE_EVAL)

The CSPSources object has the following properties:

  • WILDCARD — *
  • NONE'none'
  • SELF'self'
  • DATAdata:
  • HTTPShttps:
  • UNSAFE_INLINE'unsafe-inline'
  • UNSAFE_EVAL — 'unsafe-eval'
  • STRICT_DYNAMIC — 'strict-dynamic'
  • UNSAFE_HASHES — 'unsafe-hashes'

The object also offers several methods for generating sources:

  • https(domain) — https://{domain}
  • nonce(nonce) — 'nonce-{nonce}'
  • hash(alg, h) — '{alg}-{h}' (h should be a binary hash digest or a base64-encoded string. If binary, it will be base64-encoded.)
  • sha256(h) — 'sha256-{h}'
  • sha384(h) — 'sha384-{h}'
  • sha512(h) — 'sha512-{h}'

Nonces

pyramid-csp adds a csp_nonce property to the request object, containing a crytographically secure random nonce token. If accessed, the nonce token will be added to the CSP.

def myview(context, request):
    body = '<script nonce="{ request.csp_nonce }">alert("Hello!");</script>'
    return Response(body=body, content_type="text/html")
>> curl -i http://localhost:8000/
...
Content-Security-Policy: default-src 'nonce-ZtynG2MXgOPkqWgHyqf8wrR8jOeprIA2qDMKJuOfEXw'
...
<script nonce="ZtynG2MXgOPkqWgHyqf8wrR8jOeprIA2qDMKJuOfEXw">alert("Hello!")</script>

By default, the nonce will only be added to the default-src directive. To add it to a different directive, use the csp.nonce_directives setting. Multiple directives can be separated with a comma.

[app:main]
csp.nonce_directives = script-src, style-src
def myview(context, request):
    body = '<script nonce="{ request.csp_nonce }">alert("Hello!");</script>'
    return Response(body=body, content_type="text/html")
>> curl -i http://localhost:8000/
...
Content-Security-Policy: default-src 'none'; script-src 'nonce-vyjGpdvTnH6x7-eL-RvVMmxx4KNMTfX9WoLdmgijv2c'; script-src 'nonce-vyjGpdvTnH6x7-eL-RvVMmxx4KNMTfX9WoLdmgijv2c'
...
<script nonce="vyjGpdvTnH6x7-eL-RvVMmxx4KNMTfX9WoLdmgijv2c">alert("Hello!")</script>

For more information CSP nonces, see https://content-security-policy.com/nonce/

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyramid-csp-0.1.0.tar.gz (5.3 kB view details)

Uploaded Source

Built Distribution

pyramid_csp-0.1.0-py3-none-any.whl (5.5 kB view details)

Uploaded Python 3

File details

Details for the file pyramid-csp-0.1.0.tar.gz.

File metadata

  • Download URL: pyramid-csp-0.1.0.tar.gz
  • Upload date:
  • Size: 5.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.12.0

File hashes

Hashes for pyramid-csp-0.1.0.tar.gz
Algorithm Hash digest
SHA256 0e43cef4a2c131305644e41e6709998b6fd61cc9e631c648abe33dd7d851540c
MD5 652948e3179143ffa88dcd0266222d0d
BLAKE2b-256 62af61ca7780c8d7bb9dc1c080242a40581d47a87ebff87c3bf8715284a9616f

See more details on using hashes here.

File details

Details for the file pyramid_csp-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: pyramid_csp-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 5.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.12.0

File hashes

Hashes for pyramid_csp-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6038cbaea48b308c8b52b318a0fd6e22e861ac86fa8b83cd2dc2f46d59926389
MD5 5b62f23698017a5603bfa6fd0df649f7
BLAKE2b-256 4ffbb77f7c76e3a90e5fdd49df2a24e80d199ffdef5c166908d5347e90841390

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page