Fixed #15727 -- Added Content Security Policy (CSP) support.

This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
2025-10-23 21:59:11 +00:00 · 2025-05-03 10:01:58 -07:00
parent 3f59711581
commit d63241ebc7
26 changed files with 1192 additions and 1 deletions
--- a/tests/middleware/urls.py
+++ b/tests/middleware/urls.py
@@ -1,4 +1,5 @@
 from django.urls import path, re_path
+from django.views.debug import default_urlconf

 from . import views

@@ -11,4 +12,10 @@ urlpatterns = [
    # Should not append slash.
    path("sensitive_fbv/", views.sensitive_fbv),
    path("sensitive_cbv/", views.SensitiveCBV.as_view()),
+    # Used in CSP tests.
+    path("csp-failure/", default_urlconf),
+    path("csp-report/", views.csp_report_view),
+    path("csp-base/", views.empty_view),
+    path("csp-nonce/", views.csp_nonce),
+    path("csp-500/", views.csp_500),
 ]