Metadata-Version: 2.1
Name: django-simple-csp
Version: 0.3.dev1
Summary: Django Content Security Policy support.
Home-page: https://github.com/fsinfuhh/django-simple-csp
Author: Nils Rokita, Henning Pridöhl
Author-email: github@rokita.it, pridoeh@informatik.uni-hamburg.de
Maintainer: Nils Rokita
Maintainer-email: github@rokita.it
License: License :: OSI Approved :: MIT License
Platform: UNKNOWN
Classifier: Development Status :: 3 - Alpha
Classifier: Environment :: Web Environment
Classifier: Programming Language :: Python
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Intended Audience :: Developers
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.4
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: Implementation :: PyPy
Classifier: Programming Language :: Python :: Implementation :: CPython
Classifier: Framework :: Django
License-File: LICENSE

django-simple-csp
=================

A simple Middleware for adding CSP headers and nonces in Django

Usage
=====

Requires Django >=1.10

Add it to the INSTALLED_APPS settings variable::

    INSTALLED_APPS = [
        ...
        'django.contrib.admin',
        'django.contrib.auth',
        'django.contrib.contenttypes',
        'django.contrib.sessions',
        'django.contrib.messages',
        'django.contrib.staticfiles',
        ...
        'django_simple_csp'
        ...
    ]


Add it to MIDDLEWARE (not MIDDLEWARE_CLASSES)::

    MIDDLEWARE = [
        ...
        'django.middleware.security.SecurityMiddleware',
        'django.contrib.sessions.middleware.SessionMiddleware',
        'django.middleware.common.CommonMiddleware',
        'django.middleware.csrf.CsrfViewMiddleware',
        'django.contrib.auth.middleware.AuthenticationMiddleware',
        'django.contrib.messages.middleware.MessageMiddleware',
        'django.middleware.clickjacking.XFrameOptionsMiddleware',
        ...
        'django-simple-csp.middleware.csp.CSPMiddleware',
        ...
    ]



CSS
---

TODO: remove hash from the name of tag?

Example use of hashed inline style::

    {% load csp %}
    {% csp_css_hash %}
        td.style-class {
            background-color: red;
        }
    {% end_csp_css_hash %}

usage inside of style="..." attributes is not supported by chromium for now.

Javascript
----------

Nonces
~~~~~~

TODO: Change to hashes?

Example::

    {% load csp %}
    <script nonce={% csp_js_nonce %}>
        alert("bla")
    </script>


Config Values
-------------

CSP_REPORT_URL = ""
The URl CSP errors should be reported to, set to "" if not used, or do not define it.

CSP_REPORT_ONLY = True
Set the header to just report CSP errors do not enforce the CSP. Defaults to True.

CSP_ADDITIONAL_SCRIPT_SRC = []
List of additional hosts javascript is allowed to be loaded from

CSP_ADDITIONAL_STYLE_SRC = []
List of additional hosts CSS is allowed to be loaded from

CSP_ADDITIONAL_IMG_SRC = []
List of additional hosts images is allowed to be loaded from


Upgrades
-----------

From < 0.3
~~~~~~~~~~

'django-simple-csp' has to be changed into 'django_simple_csp' in th INSTALLED_APPS in Django settings.py


