https://github.com/quantum5/django-csp-advanced
A powerful CSP middleware for Django.
https://github.com/quantum5/django-csp-advanced
content-security-policy csp csp-report django http-header security
Last synced: 8 months ago
JSON representation
A powerful CSP middleware for Django.
- Host: GitHub
- URL: https://github.com/quantum5/django-csp-advanced
- Owner: quantum5
- Created: 2017-07-15T01:47:16.000Z (over 8 years ago)
- Default Branch: master
- Last Pushed: 2022-10-30T22:42:11.000Z (over 3 years ago)
- Last Synced: 2025-06-27T19:08:00.174Z (9 months ago)
- Topics: content-security-policy, csp, csp-report, django, http-header, security
- Language: Python
- Homepage: https://quantum2.xyz/projects/
- Size: 19.5 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# django-csp-advanced [](https://travis-ci.org/quantum5/django-csp-advanced) [](https://codecov.io/gh/quantum5/django-csp-advanced)
A powerful `Content-Security-Policy` (CSP) middleware for Django. This CSP middleware supports
using a dictionary syntax for CSP, and using callables taking arguments `(request, response)`
to fill in parts of the dictionary.
For example, the following `settings.py` configuration:
```python
ADVANCED_CSP = {
'block-all-mixed-content': True,
'frame-src': ['none'],
'plugin-types': ['application/pdf'],
'report-uri': '/dev/null',
'sandbox': ['allow-scripts'],
'script-src': ['self', 'https://dmoj.ca'],
'style-src': lambda request, response: ['self'],
'upgrade-insecure-requests': False,
}
```
generates this CSP (order may differ based on dictionary hashing):
```
style-src 'self'; script-src 'self' https://dmoj.ca; frame-src 'none'; plugin-types application/pdf; block-all-mixed-content; sandbox allow-scripts; report-uri /dev/null
```
Another feature is the ability to augment or replace the CSP from views:
```python
def view(request):
response = HttpResponse()
response.csp = {'script-src': ['https://ajax.googleapis.com']}
return response
```
This will add `https://ajax.googleapis.com` to the list of origins listed for `script-src` to result in something like:
```
...; script-src 'self' https://dmoj.ca https://ajax.googleapis.com; ...
```
You can use `'override': True` to replace the CSP instead:
```python
def view(request):
response = HttpResponse()
response.csp = {'script-src': ['self'], 'override': True}
return response
```
This will replace the CSP with `script-src 'self'`.
You can also set `csp_report` on the response to add entry to the report-only CSP.
Note that neither `csp` or `csp_report` has any effect if their global version is disabled.
However, `csp` will be used to populate `Content-Security-Policy-Report-Only` if there is
no enforced CSP policy configured, but there is a report-only policy.
## Installation
First, install the module with:
```
$ pip install django-csp-advanced
```
Or if you want the latest bleeding edge version:
```
$ pip install -e git://github.com/quantum5/django-csp-advanced.git
```
Then, add `'csp_advanced'` to `INSTALLED_APPS` and `'csp_advanced.middleware.AdvancedCSPMiddleware'`
to `'MIDDLEWARE'` or `'MIDDLEWARE_CLASSES'` depending [on your setup](https://docs.djangoproject.com/en/dev/topics/http/middleware/).
Finally, use either a dictionary or a callable taking `request, response` as either
`ADVANCED_CSP` or `ADVANCED_CSP_REPORT_ONLY`.
Examples:
```python
ADVANCED_CSP = lambda request, response: {'script-src': ['self']}
ADVANCED_CSP_REPORT_ONLY = {'script-src': ['self']}
ADVANCED_CSP = {'style-src': lambda request, response: ['self']}
```
You get the idea.