django-csp-nonce

Release 1.0b20

Nonce support for Content Security Policy in Django.

Homepage Repository PyPI Python

Keywords
CSP, Content, Security, Policy, Nonce, Django
License
MPL-2.0
Install
pip install django-csp-nonce==1.0b20

Documentation

Django-CSP-Nonce (beta)

Build Status

DCN is a Content-Security-Policy nonce injection support system for Django and CSP.

It provides for on-the-fly nonce creation and deployment. Once installed, DCN will generate a unique nonce
for each request (one for script-src and a separate one for style-src directives) append the nonce to the
CSP header, then make the nonce(s) accessible to the templates via the Django Context Processors.
DCN stays out of the way of Django-CSP and can operate
independently with any method of CSP insertion that passes through Django Middleware.

Disclosure

  • This code has not been through a third party security audit.
  • I’ve successfully tested this locally with pypy-5.4.1. TravisCI has confirmed this doesn’t work with their version.

Installation

pip install django-csp-nonce

Add DCN to MIDDLEWARE_CLASSES:

MIDDLEWARE_CLASSES = (
    [ ... ]
    'csp_nonce.middleware.CSPNonceMiddleware',
    # Make sure you put it *above* django-csp if you're using it
    [ ... ]
)

Add DCN to context_processors:

TEMPLATES = [
    {
        'BACKEND': 'django.template.backends.django.DjangoTemplates',
        'DIRS': [...],
        'APP_DIRS': True,
        'OPTIONS': {
            'context_processors': [
                'csp_nonce.context_processors.nonce',
                [ ... ]
            ],
        },
    },
]

Finally, add DCN directives to settings:

CSP_NONCE_SCRIPT = False  # True if you want to use it
CSP_NONCE_STYLE = False  # True if you want to use it
CSP_FLAG_STRICT = False  # True to include strict-dynamic in CSP

Usage

DCN takes care of nonce generation for you. As you work on your templates, pull in your specific nonce from the context:

<script type="text/javascript" {{ script_nonce }}>
...
</script>

<style {{ style_nonce }}>
...
</style>

Dependencies

  • Django

Known issues

  • Nonce sync breaks on settings.DEBUG=True

Important Changes

  • 1.0
    • Out of beta!
    • PyNacl is no longer a dependency. (Moving forward the aim is to stay compatible with environments such as Google App Engine which don't support non-python extensions.)

Running Tests

Use tox to run the tests against multiple versions of Python that you have installed and multiple versions of Django. Please make sure that you run your tests against at least Python 2.7 and Python 3.5.

virtualenv venv
. ./venv/bin/activate

pip install tox

tox

Stats

Dependencies
0
Dependent packages
0
Dependent repositories
0
Total releases
4
Latest release
First release
Stars
15
Forks
8
Watchers
8
Contributors
2
Repository size
41 KB
SourceRank
8

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

1.0.0
1.0b20
1.0b10
1.0b1

Contributors

Bennyoak Robert


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2023-06-08 03:18:52 UTC

Login to resync this project