Django-CSP is a Content Security Policy implementation for Django. It is implemented as middleware.
Django-CSP is configured entirely in Django's settings. Almost all the arguments take a tuple of possible values (cf the spec). Only the allow
directive has a default value ('self'
). All others are ignored unless specified.
The simplest step is just turning on the middleware:
MIDDLEWARE_CLASSES = (
# ...
'csp.middleware.CSPMiddleware',
# ...
)
and adding csp
to your installed apps1 :
INSTALLED_APPS = (
# ...
'csp',
# ...
)
These settings take a tuple of values. For simplicity, the special values 'self'
and 'none'
must contain the single quotes. See the spec for allowed use of the *
wildcard:
CSP_ALLOW
CSP_IMG_SRC
CSP_SCRIPT_SRC
CSP_STYLE_SRC
CSP_OBJECT_SRC
CSP_MEDIA_SRC
CSP_FRAME_SRC
CSP_FONT_SRC
CSP_FRAME_ANCESTORS
The following settings take only a URI, not a tuple:
CSP_REPORT_URI
CSP_POLICY_URI
Content Security Policy defines an options
directive that allows you to re-enable inline scripts and eval()
, both disabled by default when CSP is active.
To re-enable both, for example, use the CSP_OPTIONS
setting, a tuple:
CSP_OPTIONS = ('inline-script', 'eval-script')
Or either inline-script
or eval-script
can be enabled separately.
Content Security Policy allows you to specify a URI that accepts violation reports. Django-CSP includes a view that accepts these reports and forwards them via email to the list of people specified in the CSP_NOTIFY
setting.
To accept violation reports, you need only add the following to your site's urls.py
:
(r'^csp', include('csp.urls')),
Then set the CSP_REPORT_URI
in settings.py
accordingly:
CSP_REPORT_URI = '/csp/report'
Content Security Policy headers can be long. If you have a complicated policy, you might find it more effective to specify only a policy URI in the header. The browser can make a second request for the policy and potentially take advantage of client-side caching to reduce the amount of data per request.
To use a policy URI, just set the CSP_POLICY_URI
setting, and include the CSP URLs as above:
CSP_POLICY_URI = '/csp/policy'
Content Security Policy supports a report-only mode that will send violation reports but not enforce the policy in the browser. This allows you to test a site for compliance without potentially breaking anything for your users.
To activate report-only mode, simply turn on CSP_REPORT_ONLY
in settings:
CSP_REPORT_ONLY = True
Strictly speaking,
csp
only needs to be in your installed apps if you plan to use the report feature.↩