Configuring django-csp¶
Content-Security-Policy is a complicated header. There are many values you may need to tweak here.
Note
Note when a setting requires a tuple or list. Since Python strings are iterable, you may get very strange policies and errors.
It’s worth reading the latest CSP spec and making sure you understand it before configuring django-csp.
Policy Settings¶
These settings affect the policy in the header. The defaults are in italics.
Note
The “special” source values of 'self', 'unsafe-inline',
'unsafe-eval', and 'none' must be quoted! e.g.:
CSP_DEFAULT_SRC = ("'self'",). Without quotes they will not work
as intended.
CSP_DEFAULT_SRCSet the
default-srcdirective. A tuple or list of values, e.g.("'self'", 'cdn.example.net'). ‘self’CSP_SCRIPT_SRCSet the
script-srcdirective. A tuple or list. NoneCSP_IMG_SRCSet the
img-srcdirective. A tuple or list. NoneCSP_OBJECT_SRCSet the
object-srcdirective. A tuple or list. NoneCSP_MEDIA_SRCSet the
media-srcdirective. A tuple or list. NoneCSP_FRAME_SRCSet the
frame-srcdirective. A tuple or list. NoneCSP_FONT_SRCSet the
font-srcdirective. A tuple or list. NoneCSP_CONNECT_SRCSet the
connect-srcdirective. A tuple or list. NoneCSP_STYLE_SRCSet the
style-srcdirective. A tuple or list. NoneCSP_BASE_URISet the
base-uridirective. A tuple or list. None Note: This doesn’t use default-src as a fall-back.CSP_CHILD_SRCSet the
child-srcdirective. A tuple or list. None Note: Deprecated in CSP v3. Use frame-src and worker-src instead.CSP_FRAME_ANCESTORSSet the
FRAME_ANCESTORSdirective. A tuple or list. None Note: This doesn’t use default-src as a fall-back.CSP_FORM_ACTIONSet the
FORM_ACTIONdirective. A tuple or list. None Note: This doesn’t use default-src as a fall-back.CSP_SANDBOXSet the
sandboxdirective. A tuple or list. None Note: This doesn’t use default-src as a fall-back.CSP_REPORT_URISet the
report-uridirective. A string with a full or relative URI. Note: This doesn’t use default-src as a fall-back.CSP_MANIFEST_SRCSet the
manifest-srcdirective. A tuple or list. NoneCSP_WORKER_SRCSet the
worker-srcdirective. A tuple or list. NoneCSP_PLUGIN_TYPESSet the
plugin-typesdirective. A tuple or list. None Note: This doesn’t use default-src as a fall-back.CSP_REQUIRE_SRI_FORSet the
require-sri-fordirective. A tuple or list. None Valid values:script,style, or both. See: require-sri-for-known-tokens Note: This doesn’t use default-src as a fall-back.CSP_UPGRADE_INSECURE_REQUESTSInclude
upgrade-insecure-requestsdirective. A boolean. False See: upgrade-insecure-requestsCSP_BLOCK_ALL_MIXED_CONTENTInclude
block-all-mixed-contentdirective. A boolean. False See: block-all-mixed-content
Changing the Policy¶
The policy can be changed on a per-view (or even per-request) basis. See the decorator documentation for more details.
Other Settings¶
These settings control the behavior of django-csp. Defaults are in italics.
CSP_REPORT_ONLYSend “report-only” headers instead of real headers. See the spec and the chapter on reports for more info. A boolean. False
CSP_EXCLUDE_URL_PREFIXESA tuple of URL prefixes. URLs beginning with any of these will not get the CSP headers. ()
Warning
Excluding any path on your site will eliminate the benefits of CSP everywhere on your site. The typical browser security model for JavaScript considers all paths alike. A Cross-Site Scripting flaw on, e.g., excluded-page/ can therefore be leveraged to access everything on the same origin.