A powerful CSP middleware for Django.
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


django-csp-advanced Build Status Coverage

A powerful Content-Security-Policy (CSP) middleware for Django. This CSP middleware supports using a dictionary syntax for CSP, and using callables taking arguments (request, response) to fill in parts of the dictionary.

For example, the following settings.py configuration:

    'block-all-mixed-content': True,
    'frame-src': ['none'],
    'plugin-types': ['application/pdf'],
    'report-uri': '/dev/null',
    'sandbox': ['allow-scripts'],
    'script-src': ['self', 'https://dmoj.ca'],
    'style-src': lambda request, response: ['self'],
    'upgrade-insecure-requests': False,

generates this CSP (order may differ based on dictionary hashing):

style-src 'self'; script-src 'self' https://dmoj.ca; frame-src 'none'; plugin-types application/pdf; block-all-mixed-content; sandbox allow-scripts; report-uri /dev/null

Another feature is the ability to augment or replace the CSP from views:

def view(request):
    response = HttpResponse()
    response.csp = {'script-src': ['https://ajax.googleapis.com']}
    return response

This will add https://ajax.googleapis.com to the list of origins listed for script-src to result in something like:

...; script-src 'self' https://dmoj.ca https://ajax.googleapis.com; ...

You can use 'override': True to replace the CSP instead:

def view(request):
    response = HttpResponse()
    response.csp = {'script-src': ['self'], 'override': True}
    return response

This will replace the CSP with script-src 'self'.

You can also set csp_report on the response to add entry to the report-only CSP. Note that neither csp or csp_report has any effect if their global version is disabled. However, csp will be used to populate Content-Security-Policy-Report-Only if there is no enforced CSP policy configured, but there is a report-only policy.


First, install the module with:

$ pip install django-csp-advanced

Or if you want the latest bleeding edge version:

$ pip install -e git://github.com/quantum5/django-csp-advanced.git

Then, add 'csp_advanced' to INSTALLED_APPS and 'csp_advanced.middleware.AdvancedCSPMiddleware' to 'MIDDLEWARE' or 'MIDDLEWARE_CLASSES' depending on your setup.

Finally, use either a dictionary or a callable taking request, response as either ADVANCED_CSP or ADVANCED_CSP_REPORT_ONLY.


ADVANCED_CSP = lambda request, response: {'script-src': ['self']}

ADVANCED_CSP_REPORT_ONLY = {'script-src': ['self']}

ADVANCED_CSP = {'style-src': lambda request, response: ['self']}

You get the idea.