# Django SRI
[Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) for Django.
## Installation
```
pip install django-sri
```
And add `sri` to your `INSTALLED_APPS`.
## Usage
### Template Tags
__Note__: By default, integrity hashes are not output when `DEBUG` is `True`, as static files change a lot during local development. To override this, set `USE_SRI` to `True`.
`django-sri` is designed to primarily be used through template tags:
```html
{% load sri %}
{% sri_static "index.js" %} <!-- Will output "<script src='/static/index.js' integrity='sha256-...'></script>" -->
{% sri_static "index.css" %} <!-- Will output "<link rel='stylesheet' href='/static/index.css' integrity='sha256-...'/>" -->
```
For performance, the hashes of files are caches in Django's [caching framework](https://docs.djangoproject.com/en/dev/topics/cache/). It will attempt to use the "sri" cache, but fall back to "default" if it doesn't exist. The cache keys are the hash of the file path in the specified algorithm in hex. Caches are stored for as long as `DEFAULT_TIMEOUT` is set to.
#### Algorithms
The SRI standard supports 3 algorithms: sha256, sha384 and sha512. By default, SHA256 is used. To override this, supply an additional `algorithm` argument to the `sri` template tag (or the specific ones):
```html
{% load sri %}
{% sri_static "index.js" algorithm="sha512" %} <!-- Will output "<script src='/static/index.js' integrity='sha512-...'></script>" -->
```
The default algorithm can be changed by setting `SRI_ALGORITHM` to the required algorithm.
#### Additional attributes
To add additional attributes to the output tag (such as `async` / `defer`), specify them as additional arguments to the template tag:
```html
{% load sri %}
{% sri_static "index.js" 'defer' 'async'%}
{% sri_static "index.woff2" preload as="font" %}
```
#### Just the integrity value
To retrieve just the integrity hash (the contents of the `integrity` attribute), you can use the `{% sri_integrity_static %}` tag, which supports the same arguments as the other tags.
```html
{% load sri %}
{% sri_integrity_static "index.js" "sha512" %} <!-- Will output "sha512-..." -->
```
#### Supported Files
For automatic tag output, the following files are supported:
- `.js`
- `.css`
Unknown extensions will emit a `link` tag with the URL as the `href` attribute.
`sri_integrity_static` is unaffected by this limitation.
### API
```python
from pathlib import Path
from sri import calculate_integrity, calculate_integrity_of_static, Algorithm
calculate_integrity(Path("/path/to/myfile.txt")) # "sha256-..."
calculate_integrity_of_static("index.js") # "sha256-..."
calculate_integrity_of_static("index.js", Algorithm.SHA512) # "sha512-..."
```
### _"Does this work with [whitenoise](https://whitenoise.evans.io/en/stable/) or alike?"_
Yes. `django-sri` outputs the static file URL in the same way the builtin `static` template tag does. This means the correct cachebusted URLs are output.
When using a manifest `STATICFILES_STORAGE`, `django-sri` will automatically retrieve the hashed and post-processed file as opposed to the original.
Raw data
{
"_id": null,
"home_page": "https://github.com/RealOrangeOne/django-sri",
"name": "django-sri",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": "",
"keywords": "django subresource integrity sri",
"author": "Jake Howard",
"author_email": "",
"download_url": "https://files.pythonhosted.org/packages/c7/15/2bfda4cbc2ea12599b76d76318b76968a8fbcf8e78acb676a1564860240b/django-sri-0.7.0.tar.gz",
"platform": null,
"description": "# Django SRI\n\n\n\n\n\n\n\n\n[Subresource Integrity](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity) for Django.\n\n\n## Installation\n\n```\npip install django-sri\n```\n\nAnd add `sri` to your `INSTALLED_APPS`.\n\n## Usage\n\n### Template Tags\n\n__Note__: By default, integrity hashes are not output when `DEBUG` is `True`, as static files change a lot during local development. To override this, set `USE_SRI` to `True`.\n\n`django-sri` is designed to primarily be used through template tags:\n\n```html\n{% load sri %}\n\n{% sri_static \"index.js\" %} <!-- Will output \"<script src='/static/index.js' integrity='sha256-...'></script>\" -->\n{% sri_static \"index.css\" %} <!-- Will output \"<link rel='stylesheet' href='/static/index.css' integrity='sha256-...'/>\" -->\n```\n\nFor performance, the hashes of files are caches in Django's [caching framework](https://docs.djangoproject.com/en/dev/topics/cache/). It will attempt to use the \"sri\" cache, but fall back to \"default\" if it doesn't exist. The cache keys are the hash of the file path in the specified algorithm in hex. Caches are stored for as long as `DEFAULT_TIMEOUT` is set to.\n\n#### Algorithms\n\nThe SRI standard supports 3 algorithms: sha256, sha384 and sha512. By default, SHA256 is used. To override this, supply an additional `algorithm` argument to the `sri` template tag (or the specific ones):\n\n```html\n{% load sri %}\n\n{% sri_static \"index.js\" algorithm=\"sha512\" %} <!-- Will output \"<script src='/static/index.js' integrity='sha512-...'></script>\" -->\n```\n\nThe default algorithm can be changed by setting `SRI_ALGORITHM` to the required algorithm.\n\n#### Additional attributes\n\nTo add additional attributes to the output tag (such as `async` / `defer`), specify them as additional arguments to the template tag:\n\n```html\n{% load sri %}\n\n{% sri_static \"index.js\" 'defer' 'async'%}\n{% sri_static \"index.woff2\" preload as=\"font\" %}\n```\n\n#### Just the integrity value\n\nTo retrieve just the integrity hash (the contents of the `integrity` attribute), you can use the `{% sri_integrity_static %}` tag, which supports the same arguments as the other tags.\n\n```html\n{% load sri %}\n\n{% sri_integrity_static \"index.js\" \"sha512\" %} <!-- Will output \"sha512-...\" -->\n```\n\n#### Supported Files\n\nFor automatic tag output, the following files are supported:\n\n- `.js`\n- `.css`\n\nUnknown extensions will emit a `link` tag with the URL as the `href` attribute.\n\n`sri_integrity_static` is unaffected by this limitation.\n\n### API\n\n```python\nfrom pathlib import Path\nfrom sri import calculate_integrity, calculate_integrity_of_static, Algorithm\n\ncalculate_integrity(Path(\"/path/to/myfile.txt\")) # \"sha256-...\"\ncalculate_integrity_of_static(\"index.js\") # \"sha256-...\"\n\ncalculate_integrity_of_static(\"index.js\", Algorithm.SHA512) # \"sha512-...\"\n```\n\n### _\"Does this work with [whitenoise](https://whitenoise.evans.io/en/stable/) or alike?\"_\n\nYes. `django-sri` outputs the static file URL in the same way the builtin `static` template tag does. This means the correct cachebusted URLs are output.\n\nWhen using a manifest `STATICFILES_STORAGE`, `django-sri` will automatically retrieve the hashed and post-processed file as opposed to the original.\n\n\n",
"bugtrack_url": null,
"license": "BSD",
"summary": "Subresource Integrity for Django",
"version": "0.7.0",
"project_urls": {
"Homepage": "https://github.com/RealOrangeOne/django-sri"
},
"split_keywords": [
"django",
"subresource",
"integrity",
"sri"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "5151ffb78981c38408c759e91128bc777b60a2a819a696dc7dc7cdd3fb11c958",
"md5": "391440195e22369e523ea67ec33932ec",
"sha256": "b33b6d738f710e1c39a72c16dc0fdcfe8971e34395da446e0fede9d17df6857f"
},
"downloads": -1,
"filename": "django_sri-0.7.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "391440195e22369e523ea67ec33932ec",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 7288,
"upload_time": "2023-09-12T08:20:22",
"upload_time_iso_8601": "2023-09-12T08:20:22.019340Z",
"url": "https://files.pythonhosted.org/packages/51/51/ffb78981c38408c759e91128bc777b60a2a819a696dc7dc7cdd3fb11c958/django_sri-0.7.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "c7152bfda4cbc2ea12599b76d76318b76968a8fbcf8e78acb676a1564860240b",
"md5": "7a51697506b90fbee77ea4e770402de5",
"sha256": "d77b4404988ccf1c40809da8eec5462c70384c84c6247485866a169a55d91cc6"
},
"downloads": -1,
"filename": "django-sri-0.7.0.tar.gz",
"has_sig": false,
"md5_digest": "7a51697506b90fbee77ea4e770402de5",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 6399,
"upload_time": "2023-09-12T08:20:23",
"upload_time_iso_8601": "2023-09-12T08:20:23.386889Z",
"url": "https://files.pythonhosted.org/packages/c7/15/2bfda4cbc2ea12599b76d76318b76968a8fbcf8e78acb676a1564860240b/django-sri-0.7.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-09-12 08:20:23",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "RealOrangeOne",
"github_project": "django-sri",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"lcname": "django-sri"
}
JSON
