Django , Content Security Policy directive
Add this to your settings.py:
# Keep our policy as strict as possible
CSP_DEFAULT_SRC = ("'none'",)
CSP_STYLE_SRC = ("'self'", 'fonts.googleapis.com')
CSP_SCRIPT_SRC = ("'self'",)
CSP_FONT_SRC = ("'self'", 'fonts.gstatic.com')
CSP_IMG_SRC = ("'self'",)
And have a look at http://www.w3.org/TR/CSP/
Doesn't django implement Content Security Policy by default?
There is also django-security
package but it supports not all existing CSP tokens and directives.
I think that Python programmers just use the HttpResponse object to do such simple things as to issue CSP HTTP header.
But it's interestingly, Django has built-in middleware to manage X-Frame-Options header, but there is no similar for the CSP.
And the removal of the long-unsupported X-XSS-Protection
header is planned in Django 4.0 only.
Configuring Django Production Settings and Content Security Policy
Indeed, my issue was in the way I had configured my DNS settings. I kept my Django prodution settings as is (see above).
I added a custom domain in my Heroku settings and used the auto-generated server name in my CNAME settings in Cloudflare.
Then I ran a check in Mozilla Observatory and passed the tests.
Related Topics
Two Divs on The Same Row and Center Align Both of Them
Margin Does Not Push Down Another Margin
Background Position, Margin-Top
Fix Warning "Also Define The Standard Property 'Box-Shadow' for Compatibility"
How to Create a Sprite from a Folder with and Without Background-Size (Using Compass)
Why Does Overflow-X:Hidden Clip My Descenders
An Alternative to -Webkit-Transform: Transformy
CSS Make Textbox Fill All Available Width
Styling Email Link/Href="Mailto:" with CSS
Webkit-Font-Smoothing: Suddenly Different Results in Chrome and Safari
Bootstrap Navbar-Static-Top Menu Breaks on Two Lines
Line Breaks When Using CSS "Display:Inline"
100% Height Div and Overflow:Auto
CSS Effect to Render a Font with "Rubber Stamp" Effect