Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

quantum5/django-csp-advanced

BranchesTags
Open more actions menu

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

21 Commits
.github/workflows
.github/workflows
 
 
csp_advanced
csp_advanced
 
 
testproject
testproject
 
 
.coveragerc
.coveragerc
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
setup.py
setup.py
 
 
test
test
 
 

Repository files navigation

django-csp-advanced Build Status Coverage

A powerful Content-Security-Policy (CSP) middleware for Django. This CSP middleware supports using a dictionary syntax for CSP, and using callables taking arguments (request, response) to fill in parts of the dictionary.

For example, the following settings.py configuration:

ADVANCED_CSP = {
    'block-all-mixed-content': True,
    'frame-src': ['none'],
    'plugin-types': ['application/pdf'],
    'report-uri': '/dev/null',
    'sandbox': ['allow-scripts'],
    'script-src': ['self', 'https://dmoj.ca'],
    'style-src': lambda request, response: ['self'],
    'upgrade-insecure-requests': False,
}

generates this CSP (order may differ based on dictionary hashing):

style-src 'self'; script-src 'self' https://dmoj.ca; frame-src 'none'; plugin-types application/pdf; block-all-mixed-content; sandbox allow-scripts; report-uri /dev/null

Another feature is the ability to augment or replace the CSP from views:

def view(request):
    response = HttpResponse()
    response.csp = {'script-src': ['https://ajax.googleapis.com']}
    return response

This will add https://ajax.googleapis.com to the list of origins listed for script-src to result in something like:

...; script-src 'self' https://dmoj.ca https://ajax.googleapis.com; ...

You can use 'override': True to replace the CSP instead:

def view(request):
    response = HttpResponse()
    response.csp = {'script-src': ['self'], 'override': True}
    return response

This will replace the CSP with script-src 'self'.

You can also set csp_report on the response to add entry to the report-only CSP. Note that neither csp or csp_report has any effect if their global version is disabled. However, csp will be used to populate Content-Security-Policy-Report-Only if there is no enforced CSP policy configured, but there is a report-only policy.

Installation

First, install the module with:

$ pip install django-csp-advanced

Or if you want the latest bleeding edge version:

$ pip install -e git://github.com/quantum5/django-csp-advanced.git

Then, add 'csp_advanced' to INSTALLED_APPS and 'csp_advanced.middleware.AdvancedCSPMiddleware' to 'MIDDLEWARE' or 'MIDDLEWARE_CLASSES' depending on your setup.

Finally, use either a dictionary or a callable taking request, response as either ADVANCED_CSP or ADVANCED_CSP_REPORT_ONLY.

Examples:

ADVANCED_CSP = lambda request, response: {'script-src': ['self']}

ADVANCED_CSP_REPORT_ONLY = {'script-src': ['self']}

ADVANCED_CSP = {'style-src': lambda request, response: ['self']}

You get the idea.

About

A powerful CSP middleware for Django.

quantum2.xyz/projects/

Topics

security csp django csp-report http-header content-security-policy

Resources

Readme
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

django-csp-advanced v0.1.0 Latest
Oct 30, 2022

Packages

No packages published

Languages
Morty Proxy This is a proxified and sanitized view of the page, visit original site.