mirror of
https://github.com/django/django.git
synced 2025-10-23 21:59:11 +00:00
Fixed #15727 -- Added Content Security Policy (CSP) support.
This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
This commit is contained in:
Rob Hudson
nessita
@@ -286,6 +286,61 @@ User-uploaded content
|
||||
|
||||
.. _same-origin policy: https://en.wikipedia.org/wiki/Same-origin_policy
|
||||
|
||||
.. _security-csp:
|
||||
|
||||
Content Security Policy
|
||||
=======================
|
||||
|
||||
.. versionadded:: 6.0
|
||||
|
||||
Content Security Policy (CSP) is a browser security mechanism that helps
|
||||
protect web applications against attacks such as cross-site scripting (XSS) and
|
||||
other content injection attacks.
|
||||
|
||||
CSP allows web applications to define which sources of content are trusted,
|
||||
instructing the browser to load, execute, or render resources only from those
|
||||
sources. This effectively creates an allowlist of content origins, reducing the
|
||||
risk of malicious code execution.
|
||||
|
||||
Key benefits of enabling CSP include:
|
||||
|
||||
1. Mitigating XSS attacks by blocking inline scripts and restricting external
|
||||
script loading.
|
||||
2. Controlling which external resources (e.g., images, fonts, stylesheets) can
|
||||
be loaded.
|
||||
3. Preventing unwanted framing of your site to protect against clickjacking.
|
||||
4. Reporting violations to a specified endpoint, enabling monitoring and
|
||||
debugging.
|
||||
|
||||
For configuration instructions, see the :ref:`Using CSP <csp-config>`
|
||||
documentation, and refer to the :ref:`CSP overview <csp-overview>` for details
|
||||
on directives and settings.
|
||||
|
||||
Limitations and considerations
|
||||
------------------------------
|
||||
|
||||
While CSP is a powerful security mechanism, it's important to understand its
|
||||
limitations and implications, particularly when used in Django:
|
||||
|
||||
* Policy exclusion risks: Avoid excluding specific paths or responses from
|
||||
CSP protection. Due to the browser’s same-origin policy, a vulnerability on
|
||||
an unprotected page (e.g., one allowing arbitrary script injection) may be
|
||||
leveraged to attack protected pages. Excluding *any* route can significantly
|
||||
weaken the site's overall CSP protection.
|
||||
|
||||
* Performance overhead: Although typically negligible, CSP adds some processing
|
||||
overhead. Nonce generation involves secure randomness for each applicable
|
||||
request. For high-traffic applications or resource-constrained environments,
|
||||
measure the performance impact accordingly.
|
||||
|
||||
* Browser support: While CSP Levels 1 and 2 are widely supported, newer
|
||||
directives (CSP Level 3+) or complex policy behaviors may vary across
|
||||
browsers. Test your policy across the environments you intend to support.
|
||||
|
||||
Despite these limitations, CSP remains an important and recommended security
|
||||
layer for web applications. Understanding its constraints will help you design
|
||||
a more effective and reliable deployment.
|
||||
|
||||
.. _additional-security-topics:
|
||||
|
||||
Additional security topics
|
||||
|
||||
Reference in New Issue
Block a user