diff options
| author | Jelle van der Waa <jelle@vdwaa.nl> | 2019-01-29 16:42:54 +0100 |
|---|---|---|
| committer | Jelle van der Waa <jelle@archlinux.org> | 2019-02-18 16:42:51 +0100 |
| commit | 3525458926dfa47e6c7bcedb4304cc243e78d47a (patch) | |
| tree | 413b8c898c71fd6a07c797193768eaaf0071e80a /settings.py | |
| parent | 6b22bedd82ae69a54f15c2f5f64f9f3945e5fb43 (diff) | |
| download | archweb-3525458926dfa47e6c7bcedb4304cc243e78d47a.tar.gz archweb-3525458926dfa47e6c7bcedb4304cc243e78d47a.zip | |
Implement CSP for archweb
Add django-csp as dependency to be able to set CSP inside django's
settings and allow setting a CSP_NONCE for inline <script>'s in
templates. Since archweb heavily uses this pattern it's the best
compromise.
Diffstat (limited to 'settings.py')
| -rw-r--r-- | settings.py | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/settings.py b/settings.py index 10114f11..17377c25 100644 --- a/settings.py +++ b/settings.py @@ -53,6 +53,7 @@ MIDDLEWARE = ( 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'django.middleware.security.SecurityMiddleware', 'django.middleware.http.ConditionalGetMiddleware', + 'csp.middleware.CSPMiddleware', ) # Base of the URL hierarchy @@ -92,6 +93,12 @@ SECURE_CONTENT_TYPE_NOSNIFF = True # X-XSS-Protection, enables cross-site scripting filter in most browsers SECURE_BROWSER_XSS_FILTER = True +# CSP Settings +CSP_DEFAULT_SRC = ("'self'",) +CSP_SCRIPT_SRC = ("'self'",) +CSP_INCLUDE_NONCE_IN = ['script-src'] +CSP_IMG_SRC = ("'self'", 'data:',) + # Use new test runner TEST_RUNNER = 'django.test.runner.DiscoverRunner' @@ -194,6 +201,7 @@ TEMPLATES = [ 'django.contrib.auth.context_processors.auth', 'django.template.context_processors.debug', 'django.contrib.messages.context_processors.messages', + 'csp.context_processors.nonce', ], } } |