https://github.com/lpomfrey/django-debreach

BREACH mitigation for Django apps.
https://github.com/lpomfrey/django-debreach

Last synced: 16 days ago
JSON representation

BREACH mitigation for Django apps.

• Host: GitHub
• URL: https://github.com/lpomfrey/django-debreach
• Owner: lpomfrey
• License: bsd-2-clause
• Created: 2013-08-07T07:14:26.000Z (over 11 years ago)
• Default Branch: master
• Last Pushed: 2023-10-06T10:04:14.000Z (about 1 year ago)
• Last Synced: 2024-05-22T15:10:29.610Z (6 months ago)
• Language: Python
• Size: 118 KB
• Stars: 74
• Watchers: 6
• Forks: 5
• Open Issues: 0
• Metadata Files:
  • Readme: README.rst
  • Contributing: CONTRIBUTING.rst
  • License: LICENSE
  • Authors: AUTHORS.rst

Awesome Lists containing this project

README

        
django-debreach

===============

Extra mitigation against the `BREACH attack `_ 

for Django projects. 

Note (that as of version 4.2 Django) includes this protection natively and this 

library is not needed.

django-debreach provides additional protection to Django's built in CSRF

token masking by randomising the content length of each response. This is 

achieved by adding a random string of between 12 and 25 characters as a 

comment to the end of the HTML content. Note that this will only be applied to 

responses with a content type of ``text/html``.

When combined with the built-in mitigations in Django and rate limiting 

(either in your web-server, or by using something like 

`django-ratelimit `_), the 

techniques here should provide a fairly comprehensive protection against the 

BREACH attack.

.. image:: https://badge.fury.io/py/django-debreach.png

    :target: https://badge.fury.io/py/django-debreach

    :alt: PyPI

.. image:: https://travis-ci.org/lpomfrey/django-debreach.png?branch=master

    :target: https://travis-ci.org/lpomfrey/django-debreach

    :alt: Build status

.. image:: https://coveralls.io/repos/lpomfrey/django-debreach/badge.png?branch=master

    :target: https://coveralls.io/r/lpomfrey/django-debreach?branch=master

    :alt: Coverage

Installation & Usage

--------------------

Install from PyPI using::

    $ pip install django-debreach

To enable content length modification for all responses, add the

``debreach.middleware.RandomCommentMiddleware`` to the *start* of your

middleware, but *after* the ``GzipMiddleware`` if you are using that.::

    MIDDLEWARE_CLASSES = (

        'debreach.middleware.RandomCommentMiddleware',

        ...

    )

or::

    MIDDLEWARE_CLASSES = (

        'django.middleware.gzip.GzipMiddleware',

        'debreach.middleware.RandomCommentMiddleware',

        ...

    )

If you wish to disable this feature for selected views, simply apply the

``debreach.decorators.random_comment_exempt`` decorator to the view.

If you only want to protect a subset of views with content length modification

then it may be easier to not use the middleware, but to selectively apply the

``debreach.decorators.append_random_comment`` decorator to the views you want

protected.

Python 2 and Django < 2.0 support

---------------------------------

Version 2.0.0 drops all support for Python 2 and Django < 2.0. If you need 

support for those versions continue using ``django-debreach>=1.5.2,<2.0``.