Django, Content Security Policy Directive

Django , Content Security Policy directive

Add this to your settings.py:

# Keep our policy as strict as possible
CSP_DEFAULT_SRC = ("'none'",)
CSP_STYLE_SRC = ("'self'", 'fonts.googleapis.com')
CSP_SCRIPT_SRC = ("'self'",)
CSP_FONT_SRC = ("'self'", 'fonts.gstatic.com')
CSP_IMG_SRC = ("'self'",)

And have a look at http://www.w3.org/TR/CSP/

Doesn't django implement Content Security Policy by default?

There is also django-security package but it supports not all existing CSP tokens and directives.

I think that Python programmers just use the HttpResponse object to do such simple things as to issue CSP HTTP header.

But it's interestingly, Django has built-in middleware to manage X-Frame-Options header, but there is no similar for the CSP.

And the removal of the long-unsupported X-XSS-Protection header is planned in Django 4.0 only.

Configuring Django Production Settings and Content Security Policy

Indeed, my issue was in the way I had configured my DNS settings. I kept my Django prodution settings as is (see above).

I added a custom domain in my Heroku settings and used the auto-generated server name in my CNAME settings in Cloudflare.

Then I ran a check in Mozilla Observatory and passed the tests.



Related Topics



Leave a reply



Submit