django-csp-advanced

Release 0.1.0

Provides a powerful interface to CSP headers for Django applications.

Homepage PyPI Python

Keywords
django, csp, security, content-security-policy, csp-report, http-header
License
GPL-3.0
Install
pip install django-csp-advanced==0.1.0

Documentation

django-csp-advanced Build Status Coverage

A powerful Content-Security-Policy (CSP) middleware for Django. This CSP middleware supports using a dictionary syntax for CSP, and using callables taking arguments (request, response) to fill in parts of the dictionary.

For example, the following settings.py configuration:

ADVANCED_CSP = {
    'block-all-mixed-content': True,
    'frame-src': ['none'],
    'plugin-types': ['application/pdf'],
    'report-uri': '/dev/null',
    'sandbox': ['allow-scripts'],
    'script-src': ['self', 'https://dmoj.ca'],
    'style-src': lambda request, response: ['self'],
    'upgrade-insecure-requests': False,
}

generates this CSP (order may differ based on dictionary hashing):

style-src 'self'; script-src 'self' https://dmoj.ca; frame-src 'none'; plugin-types application/pdf; block-all-mixed-content; sandbox allow-scripts; report-uri /dev/null

Another feature is the ability to augment or replace the CSP from views:

def view(request):
    response = HttpResponse()
    response.csp = {'script-src': ['https://ajax.googleapis.com']}
    return response

This will add https://ajax.googleapis.com to the list of origins listed for script-src to result in something like:

...; script-src 'self' https://dmoj.ca https://ajax.googleapis.com; ...

You can use 'override': True to replace the CSP instead:

def view(request):
    response = HttpResponse()
    response.csp = {'script-src': ['self'], 'override': True}
    return response

This will replace the CSP with script-src 'self'.

You can also set csp_report on the response to add entry to the report-only CSP. Note that neither csp or csp_report has any effect if their global version is disabled. However, csp will be used to populate Content-Security-Policy-Report-Only if there is no enforced CSP policy configured, but there is a report-only policy.

Installation

First, install the module with:

$ pip install django-csp-advanced

Or if you want the latest bleeding edge version:

$ pip install -e git://github.com/quantum5/django-csp-advanced.git

Then, add 'csp_advanced' to INSTALLED_APPS and 'csp_advanced.middleware.AdvancedCSPMiddleware' to 'MIDDLEWARE' or 'MIDDLEWARE_CLASSES' depending on your setup.

Finally, use either a dictionary or a callable taking request, response as either ADVANCED_CSP or ADVANCED_CSP_REPORT_ONLY.

Examples:

ADVANCED_CSP = lambda request, response: {'script-src': ['self']}

ADVANCED_CSP_REPORT_ONLY = {'script-src': ['self']}

ADVANCED_CSP = {'style-src': lambda request, response: ['self']}

You get the idea.

Stats

Dependencies
0
Dependent packages
0
Dependent repositories
0
Total releases
2
Latest release
First release
Stars
1
Forks
0
Watchers
2
Contributors
1
Repository size
19.5 KB
SourceRank
7

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.1.0
0.0.1

Contributors

Guanzhong Chen


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2023-02-03 18:25:07 UTC

Login to resync this project