Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/lpomfrey/django-debreach
BREACH mitigation for Django apps.
https://github.com/lpomfrey/django-debreach
Last synced: 16 days ago
JSON representation
BREACH mitigation for Django apps.
- Host: GitHub
- URL: https://github.com/lpomfrey/django-debreach
- Owner: lpomfrey
- License: bsd-2-clause
- Created: 2013-08-07T07:14:26.000Z (over 11 years ago)
- Default Branch: master
- Last Pushed: 2023-10-06T10:04:14.000Z (about 1 year ago)
- Last Synced: 2024-05-22T15:10:29.610Z (6 months ago)
- Language: Python
- Size: 118 KB
- Stars: 74
- Watchers: 6
- Forks: 5
- Open Issues: 0
-
Metadata Files:
- Readme: README.rst
- Contributing: CONTRIBUTING.rst
- License: LICENSE
- Authors: AUTHORS.rst
Awesome Lists containing this project
README
django-debreach
===============Extra mitigation against the `BREACH attack `_
for Django projects.Note (that as of version 4.2 Django) includes this protection natively and this
library is not needed.django-debreach provides additional protection to Django's built in CSRF
token masking by randomising the content length of each response. This is
achieved by adding a random string of between 12 and 25 characters as a
comment to the end of the HTML content. Note that this will only be applied to
responses with a content type of ``text/html``.When combined with the built-in mitigations in Django and rate limiting
(either in your web-server, or by using something like
`django-ratelimit `_), the
techniques here should provide a fairly comprehensive protection against the
BREACH attack... image:: https://badge.fury.io/py/django-debreach.png
:target: https://badge.fury.io/py/django-debreach
:alt: PyPI
.. image:: https://travis-ci.org/lpomfrey/django-debreach.png?branch=master
:target: https://travis-ci.org/lpomfrey/django-debreach
:alt: Build status.. image:: https://coveralls.io/repos/lpomfrey/django-debreach/badge.png?branch=master
:target: https://coveralls.io/r/lpomfrey/django-debreach?branch=master
:alt: CoverageInstallation & Usage
--------------------Install from PyPI using::
$ pip install django-debreach
To enable content length modification for all responses, add the
``debreach.middleware.RandomCommentMiddleware`` to the *start* of your
middleware, but *after* the ``GzipMiddleware`` if you are using that.::MIDDLEWARE_CLASSES = (
'debreach.middleware.RandomCommentMiddleware',
...
)or::
MIDDLEWARE_CLASSES = (
'django.middleware.gzip.GzipMiddleware',
'debreach.middleware.RandomCommentMiddleware',
...
)If you wish to disable this feature for selected views, simply apply the
``debreach.decorators.random_comment_exempt`` decorator to the view.If you only want to protect a subset of views with content length modification
then it may be easier to not use the middleware, but to selectively apply the
``debreach.decorators.append_random_comment`` decorator to the views you want
protected.Python 2 and Django < 2.0 support
---------------------------------Version 2.0.0 drops all support for Python 2 and Django < 2.0. If you need
support for those versions continue using ``django-debreach>=1.5.2,<2.0``.