Django-CSP is a Content Security Policy implementation for Django. It is implemented as middleware.
Django-CSP is configured entirely in Django's settings. Almost all the
arguments take a tuple of possible values (cf the spec). Only the
directive has a default value (
'self'). All others are ignored unless
Turning on CSP
The simplest step is just turning on the middleware:
MIDDLEWARE_CLASSES = ( # ... 'csp.middleware.CSPMiddleware', # ... )
csp to your installed apps 
INSTALLED_APPS = ( # ... 'csp', # ... )
These settings take a tuple of values. For simplicity, the special values
'none' must contain the single quotes. See the spec for
allowed use of the
CSP_ALLOW CSP_IMG_SRC CSP_SCRIPT_SRC CSP_STYLE_SRC CSP_OBJECT_SRC CSP_MEDIA_SRC CSP_FRAME_SRC CSP_FONT_SRC CSP_FRAME_ANCESTORS
The following settings take only a URI, not a tuple:
You can disable CSP for specific url prefixes with the
CSP_EXCLUDE_URL_PREFIXES setting. For example, to exclude the django admin
CSP_EXCLUDE_URL_PREFIXES = ('/admin',)
The Options Directive
Content Security Policy defines an
options directive that allows you
to re-enable inline scripts and
eval(), both disabled by default when CSP
To re-enable both, for example, use the
CSP_OPTIONS setting, a tuple:
CSP_OPTIONS = ('inline-script', 'eval-script')
eval-script can be enabled separately.
Content Security Policy allows you to specify a URI that accepts violation
reports. Django-CSP includes a view that accepts these reports and forwards
them via email to the list of people specified in the
To accept violation reports, you need only add the following to your site's
Then set the
CSP_REPORT_URI = '/csp/report'
Content Security Policy headers can be long. If you have a complicated policy, you might find it more effective to specify only a policy URI in the header. The browser can make a second request for the policy and potentially take advantage of client-side caching to reduce the amount of data per request.
To use a policy URI, just set the
CSP_POLICY_URI setting, and include
the CSP URLs as above:
CSP_POLICY_URI = '/csp/policy'
Content Security Policy supports a report-only mode that will send violation reports but not enforce the policy in the browser. This allows you to test a site for compliance without potentially breaking anything for your users.
To activate report-only mode, simply turn on
CSP_REPORT_ONLY = True
Modifying the Policy
Right now, the only way to modify the policy is with the
from csp.decorators import csp_exempt @csp_exempt def myview(request): return HttpResponse()
This will prevent the
CSPMiddleware from sending any CSP headers from this
@csp_patchdecorator that will allow you to patch a policy for a specific view. Will be... complicated.
@csp_overridedecorator that allows you to replace a policy for a specific view.
|||Strictly speaking, |