django-simple-csp
=================
A simple Middleware for adding CSP headers and nonces in Django
Usage
=====
Requires Django >=1.10
Add it to the INSTALLED_APPS settings variable::
INSTALLED_APPS = [
...
'django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
...
'django_simple_csp'
...
]
Add it to MIDDLEWARE (not MIDDLEWARE_CLASSES)::
MIDDLEWARE = [
...
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
...
'django-simple-csp.middleware.csp.CSPMiddleware',
...
]
CSS
---
Hashes
~~~~~~
Example use of hashed inline style::
{% load csp %}
{% csp_css_hash %}
td.style-class {
background-color: red;
}
{% end_csp_css_hash %}
usage inside of style="..." attributes is not supported by chromium for now.
Nonces
~~~~~~
Example::
{% load csp %}
<style nonce={% csp_css_nonce %}>
td.style-class {
background-color: red;
}
</style>
Javascript
----------
Nonces
~~~~~~
TODO: Change to hashes?
Example::
{% load csp %}
<script nonce={% csp_js_nonce %}>
alert("bla")
</script>
Config Values
-------------
CSP_REPORT_URL = ""
The URl CSP errors should be reported to, set to "" if not used, or do not define it.
CSP_REPORT_ONLY = True
Set the header to just report CSP errors do not enforce the CSP. Defaults to True.
CSP_ADDITIONAL_SCRIPT_SRC = []
List of additional hosts javascript is allowed to be loaded from
CSP_ADDITIONAL_STYLE_SRC = []
List of additional hosts CSS is allowed to be loaded from
CSP_ADDITIONAL_IMG_SRC = []
List of additional hosts images is allowed to be loaded from
CSP_ADDITIONAL_DEFAULT_SRC = []
List of additional hosts all other resources are allowed to be loaded from
Upgrades
-----------
From < 0.3
~~~~~~~~~~
'django-simple-csp' has to be changed into 'django_simple_csp' in th INSTALLED_APPS in Django settings.py
Raw data
{
"_id": null,
"home_page": null,
"name": "django-simple-csp",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.6",
"maintainer_email": "Nils Rokita <github@rokita.it>",
"keywords": "CSP, Content-Security-Policy, Django",
"author": "Henning Prid\u00f6hl",
"author_email": "Nils Rokita <github@rokita.it>",
"download_url": "https://files.pythonhosted.org/packages/23/f4/343e43f52f2114ee0c73f4d525f3a3a08b7e13eb97475ad9804cc8c4fdb8/django_simple_csp-0.5.dev1.tar.gz",
"platform": null,
"description": "django-simple-csp\n=================\n\nA simple Middleware for adding CSP headers and nonces in Django\n\nUsage\n=====\n\nRequires Django >=1.10\n\nAdd it to the INSTALLED_APPS settings variable::\n\n INSTALLED_APPS = [\n ...\n 'django.contrib.admin',\n 'django.contrib.auth',\n 'django.contrib.contenttypes',\n 'django.contrib.sessions',\n 'django.contrib.messages',\n 'django.contrib.staticfiles',\n ...\n 'django_simple_csp'\n ...\n ]\n\n\nAdd it to MIDDLEWARE (not MIDDLEWARE_CLASSES)::\n\n MIDDLEWARE = [\n ...\n 'django.middleware.security.SecurityMiddleware',\n 'django.contrib.sessions.middleware.SessionMiddleware',\n 'django.middleware.common.CommonMiddleware',\n 'django.middleware.csrf.CsrfViewMiddleware',\n 'django.contrib.auth.middleware.AuthenticationMiddleware',\n 'django.contrib.messages.middleware.MessageMiddleware',\n 'django.middleware.clickjacking.XFrameOptionsMiddleware',\n ...\n 'django-simple-csp.middleware.csp.CSPMiddleware',\n ...\n ]\n\n\n\nCSS\n---\n\nHashes\n~~~~~~\n\nExample use of hashed inline style::\n\n {% load csp %}\n {% csp_css_hash %}\n td.style-class {\n background-color: red;\n }\n {% end_csp_css_hash %}\n\nusage inside of style=\"...\" attributes is not supported by chromium for now.\n\nNonces\n~~~~~~\n\nExample::\n\n {% load csp %}\n <style nonce={% csp_css_nonce %}>\n td.style-class {\n background-color: red;\n }\n </style>\n\nJavascript\n----------\n\nNonces\n~~~~~~\n\nTODO: Change to hashes?\n\nExample::\n\n {% load csp %}\n <script nonce={% csp_js_nonce %}>\n alert(\"bla\")\n </script>\n\n\nConfig Values\n-------------\n\nCSP_REPORT_URL = \"\"\nThe URl CSP errors should be reported to, set to \"\" if not used, or do not define it.\n\nCSP_REPORT_ONLY = True\nSet the header to just report CSP errors do not enforce the CSP. Defaults to True.\n\nCSP_ADDITIONAL_SCRIPT_SRC = []\nList of additional hosts javascript is allowed to be loaded from\n\nCSP_ADDITIONAL_STYLE_SRC = []\nList of additional hosts CSS is allowed to be loaded from\n\nCSP_ADDITIONAL_IMG_SRC = []\nList of additional hosts images is allowed to be loaded from\n\nCSP_ADDITIONAL_DEFAULT_SRC = []\nList of additional hosts all other resources are allowed to be loaded from\n\nUpgrades\n-----------\n\nFrom < 0.3\n~~~~~~~~~~\n\n'django-simple-csp' has to be changed into 'django_simple_csp' in th INSTALLED_APPS in Django settings.py\n",
"bugtrack_url": null,
"license": null,
"summary": "Django Content Security Policy support.",
"version": "0.5.dev1",
"project_urls": {
"Issues": "https://github.com/fsinfuhh/django-simple-csp/issues",
"Repository": "https://github.com/fsinfuhh/django-simple-csp"
},
"split_keywords": [
"csp",
" content-security-policy",
" django"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "3aba56e9d0258f26bbf96f877ca0f3afcdc6e4399d3e21083dbeda0be8a449d3",
"md5": "a421daf3fa62796be862c8c061a5fc63",
"sha256": "015e0c058d4d72a71e6e0e6c3b1cbf4385795b52e096bce04b16856288c8438a"
},
"downloads": -1,
"filename": "django_simple_csp-0.5.dev1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "a421daf3fa62796be862c8c061a5fc63",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.6",
"size": 5054,
"upload_time": "2025-07-08T21:48:09",
"upload_time_iso_8601": "2025-07-08T21:48:09.790992Z",
"url": "https://files.pythonhosted.org/packages/3a/ba/56e9d0258f26bbf96f877ca0f3afcdc6e4399d3e21083dbeda0be8a449d3/django_simple_csp-0.5.dev1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "23f4343e43f52f2114ee0c73f4d525f3a3a08b7e13eb97475ad9804cc8c4fdb8",
"md5": "78e81718357cfba8ffb08fdc773bc867",
"sha256": "ea302e882303189a61736c83260b79594c8d8cf7a9c765d12afef6320df9aaed"
},
"downloads": -1,
"filename": "django_simple_csp-0.5.dev1.tar.gz",
"has_sig": false,
"md5_digest": "78e81718357cfba8ffb08fdc773bc867",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.6",
"size": 4081,
"upload_time": "2025-07-08T21:48:11",
"upload_time_iso_8601": "2025-07-08T21:48:11.030073Z",
"url": "https://files.pythonhosted.org/packages/23/f4/343e43f52f2114ee0c73f4d525f3a3a08b7e13eb97475ad9804cc8c4fdb8/django_simple_csp-0.5.dev1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-07-08 21:48:11",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "fsinfuhh",
"github_project": "django-simple-csp",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "django-simple-csp"
}
JSON
