djangocspadvanced 0.1.0
django-csp-advanced
A powerful Content-Security-Policy (CSP) middleware for Django. This CSP middleware supports
using a dictionary syntax for CSP, and using callables taking arguments (request, response)
to fill in parts of the dictionary.
For example, the following settings.py configuration:
ADVANCED_CSP = {
'block-all-mixed-content': True,
'frame-src': ['none'],
'plugin-types': ['application/pdf'],
'report-uri': '/dev/null',
'sandbox': ['allow-scripts'],
'script-src': ['self', 'https://dmoj.ca'],
'style-src': lambda request, response: ['self'],
'upgrade-insecure-requests': False,
}
generates this CSP (order may differ based on dictionary hashing):
style-src 'self'; script-src 'self' https://dmoj.ca; frame-src 'none'; plugin-types application/pdf; block-all-mixed-content; sandbox allow-scripts; report-uri /dev/null
Another feature is the ability to augment or replace the CSP from views:
def view(request):
response = HttpResponse()
response.csp = {'script-src': ['https://ajax.googleapis.com']}
return response
This will add https://ajax.googleapis.com to the list of origins listed for script-src to result in something like:
...; script-src 'self' https://dmoj.ca https://ajax.googleapis.com; ...
You can use 'override': True to replace the CSP instead:
def view(request):
response = HttpResponse()
response.csp = {'script-src': ['self'], 'override': True}
return response
This will replace the CSP with script-src 'self'.
You can also set csp_report on the response to add entry to the report-only CSP.
Note that neither csp or csp_report has any effect if their global version is disabled.
However, csp will be used to populate Content-Security-Policy-Report-Only if there is
no enforced CSP policy configured, but there is a report-only policy.
Installation
First, install the module with:
$ pip install django-csp-advanced
Or if you want the latest bleeding edge version:
$ pip install -e git://github.com/quantum5/django-csp-advanced.git
Then, add 'csp_advanced' to INSTALLED_APPS and 'csp_advanced.middleware.AdvancedCSPMiddleware'
to 'MIDDLEWARE' or 'MIDDLEWARE_CLASSES' depending on your setup.
Finally, use either a dictionary or a callable taking request, response as either
ADVANCED_CSP or ADVANCED_CSP_REPORT_ONLY.
Examples:
ADVANCED_CSP = lambda request, response: {'script-src': ['self']}
ADVANCED_CSP_REPORT_ONLY = {'script-src': ['self']}
ADVANCED_CSP = {'style-src': lambda request, response: ['self']}
You get the idea.
For personal and professional use. You cannot resell or redistribute these repositories in their original state.
There are no reviews.