Django-CSP is a Content Security Policy implementation for Django. It is implemented as middleware.
Django-CSP is configured entirely in Django's settings. Almost all the
arguments take a tuple of possible values (cf the spec). Only the
default-src directive has a default value (
'self'). All others are
ignored unless specified.
Turning on CSP
The simplest step is just turning on the middleware:
MIDDLEWARE_CLASSES = ( # ... 'csp.middleware.CSPMiddleware', # ... )
csp to your installed apps 
INSTALLED_APPS = ( # ... 'csp', # ... )
These settings take a tuple of values. For simplicity, the special values
'unsafe-eval' must contain
the single quotes. See the spec for allowed use of the
CSP_DEFAULT_SRC CSP_IMG_SRC CSP_SCRIPT_SRC CSP_STYLE_SRC CSP_OBJECT_SRC CSP_MEDIA_SRC CSP_FRAME_SRC CSP_FONT_SRC CSP_CONNECT_SRC CSP_SANDBOX
The following settings take only a URI, not a tuple:
You can disable CSP for specific url prefixes with the
CSP_EXCLUDE_URL_PREFIXES setting. For example, to exclude the django admin
CSP_EXCLUDE_URL_PREFIXES = ('/admin',)
Content Security Policy allows you to specify a URI that accepts
violation reports. Django-CSP includes a view that accepts these
reports, processes, and stores them. Reports are grouped according to a
herusitic combination, and if a new Group is recognized, Django-CSP will notify
by email, either by mailing the
ADMINS list, or the list in the
To accept violation reports, you need only add the following to your site's
Then set the
CSP_REPORT_URI = '/csp/report'
Content Security Policy supports a report-only mode that will send violation reports but not enforce the policy in the browser. This allows you to test a site for compliance without potentially breaking anything for your users.
To activate report-only mode, simply turn on
CSP_REPORT_ONLY = True
Modifying the Policy
Right now, the only way to modify the policy is with the
from csp.decorators import csp_exempt @csp_exempt def myview(request): return HttpResponse()
This will prevent the
CSPMiddleware from sending any CSP headers from this
@csp_patchdecorator that will allow you to patch a policy for a specific view. Will be... complicated.
@csp_overridedecorator that allows you to replace a policy for a specific view.
|||Strictly speaking, |