2017-07-15 03:36:43 -04:00
|
|
|
# django-csp-advanced [](https://travis-ci.org/quantum5/django-csp-advanced) [](https://codecov.io/gh/quantum5/django-csp-advanced)
|
2017-07-15 03:22:55 -04:00
|
|
|
|
|
|
|
|
A powerful `Content-Security-Policy` (CSP) middleware for Django. This CSP middleware supports
|
|
|
|
|
using a dictionary syntax for CSP, and using callables taking arguments `(request, response)`
|
|
|
|
|
to fill in parts of the dictionary.
|
|
|
|
|
|
|
|
|
|
For example, the following `settings.py` configuration:
|
|
|
|
|
|
|
|
|
|
```python
|
|
|
|
|
ADVANCED_CSP = {
|
|
|
|
|
'block-all-mixed-content': True,
|
|
|
|
|
'frame-src': ['none'],
|
|
|
|
|
'plugin-types': ['application/pdf'],
|
|
|
|
|
'report-uri': '/dev/null',
|
|
|
|
|
'sandbox': ['allow-scripts'],
|
|
|
|
|
'script-src': ['self', 'https://dmoj.ca'],
|
|
|
|
|
'style-src': lambda request, response: ['self'],
|
|
|
|
|
'upgrade-insecure-requests': False,
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
generates this CSP (order may differ based on dictionary hashing):
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
style-src 'self'; script-src 'self' https://dmoj.ca; frame-src 'none'; plugin-types application/pdf; block-all-mixed-content; sandbox allow-scripts; report-uri /dev/null
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Another feature is the ability to augment or replace the CSP from views:
|
|
|
|
|
|
|
|
|
|
```python
|
|
|
|
|
def view(request):
|
|
|
|
|
response = HttpResponse()
|
|
|
|
|
response.csp = {'script-src': ['https://ajax.googleapis.com']}
|
|
|
|
|
return response
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
This will add `https://ajax.googleapis.com` to the list of origins listed for `script-src` to result in something like:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
...; script-src 'self' https://dmoj.ca https://ajax.googleapis.com; ...
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
You can use `'override': True` to replace the CSP instead:
|
|
|
|
|
|
|
|
|
|
```python
|
|
|
|
|
def view(request):
|
|
|
|
|
response = HttpResponse()
|
|
|
|
|
response.csp = {'script-src': ['self'], 'override': True}
|
|
|
|
|
return response
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
This will replace the CSP with `script-src 'self'`.
|
|
|
|
|
|
|
|
|
|
You can also set `csp_report` on the response to add entry to the report-only CSP.
|
|
|
|
|
Note that neither `csp` or `csp_report` has any effect if their global version is disabled.
|
|
|
|
|
However, `csp` will be used to populate `Content-Security-Policy-Report-Only` if there is
|
|
|
|
|
no enforced CSP policy configured, but there is a report-only policy.
|
|
|
|
|
|
|
|
|
|
## Installation
|
|
|
|
|
|
|
|
|
|
First, install the module with:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ pip install django-csp-advanced
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Or if you want the latest bleeding edge version:
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
$ pip install -e git://github.com/quantum5/django-csp-advanced.git
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
Then, add `'csp_advanced'` to `INSTALLED_APPS` and `'csp_advanced.middleware.AdvancedCSPMiddleware'`
|
|
|
|
|
to `'MIDDLEWARE'` or `'MIDDLEWARE_CLASSES'` depending [on your setup](https://docs.djangoproject.com/en/dev/topics/http/middleware/).
|
|
|
|
|
|
|
|
|
|
Finally, use either a dictionary or a callable taking `request, response` as either
|
|
|
|
|
`ADVANCED_CSP` or `ADVANCED_CSP_REPORT_ONLY`.
|
|
|
|
|
|
|
|
|
|
Examples:
|
|
|
|
|
|
|
|
|
|
```python
|
|
|
|
|
ADVANCED_CSP = lambda request, response: {'script-src': ['self']}
|
|
|
|
|
|
|
|
|
|
ADVANCED_CSP_REPORT_ONLY = {'script-src': ['self']}
|
|
|
|
|
|
|
|
|
|
ADVANCED_CSP = {'style-src': lambda request, response: ['self']}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
You get the idea.
|
