Django-CSP is a Content Security Policy implementation for Django. It is implemented as middleware.
Django-CSP is configured entirely in Django's settings. Almost all the arguments take a tuple of possible values (cf the spec). Only the default-src directive has a default value ('self'). All others are ignored unless specified.
The simplest step is just turning on the middleware:
MIDDLEWARE_CLASSES = ( # ... 'csp.middleware.CSPMiddleware', # ... )
and adding csp to your installed apps 
INSTALLED_APPS = ( # ... 'csp', # ... )
These settings take a tuple of values. For simplicity, the special values 'self', 'unsafe-inline', and 'unsafe-eval' must contain the single quotes. See the spec for allowed use of the * wildcard:
CSP_DEFAULT_SRC CSP_IMG_SRC CSP_SCRIPT_SRC CSP_STYLE_SRC CSP_OBJECT_SRC CSP_MEDIA_SRC CSP_FRAME_SRC CSP_FONT_SRC CSP_CONNECT_SRC CSP_SANDBOX
The following settings take only a URI, not a tuple:
CSP_EXCLUDE_URL_PREFIXES = ('/admin',)
Content Security Policy allows you to specify a URI that accepts violation reports. Django-CSP includes a view that accepts these reports, processes, and stores them. Reports are grouped according to a herusitic combination, and if a new Group is recognized, Django-CSP will notify by email, either by mailing the ADMINS list, or the list in the CSP_NOTIFY setting.
To accept violation reports, you need only add the following to your site's urls.py:
Then set the CSP_REPORT_URI in settings.py accordingly:
CSP_REPORT_URI = '/csp/report'
Content Security Policy supports a report-only mode that will send violation reports but not enforce the policy in the browser. This allows you to test a site for compliance without potentially breaking anything for your users.
To activate report-only mode, simply turn on CSP_REPORT_ONLY in settings:
CSP_REPORT_ONLY = True
Right now, the only way to modify the policy is with the @csp_exempt decorator:
from csp.decorators import csp_exempt @csp_exempt def myview(request): return HttpResponse()
This will prevent the CSPMiddleware from sending any CSP headers from this view.
- @csp_patch decorator that will allow you to patch a policy for a specific view. Will be... complicated.
- @csp_override decorator that allows you to replace a policy for a specific view.
|||Strictly speaking, csp only needs to be in your installed apps if you plan to use the report feature.|