19đź‘Ť
âś…
Add this to your settings.py:
# Keep our policy as strict as possible
CSP_DEFAULT_SRC = ("'none'",)
CSP_STYLE_SRC = ("'self'", 'fonts.googleapis.com')
CSP_SCRIPT_SRC = ("'self'",)
CSP_FONT_SRC = ("'self'", 'fonts.gstatic.com')
CSP_IMG_SRC = ("'self'",)
And have a look at http://www.w3.org/TR/CSP/
👤iago1460
6đź‘Ť
Protecting a django app with a Content Security Policy is pretty straight forward and in your case the header should looks something like this:
Content-Security-Policy: default-src 'none'; script-src 'self' www.google-analytics.com; connect-src 'self'; img-src 'self' www.google-analytics.com; style-src 'self' fonts.googleapis.com; font-src 'self' fonts.gstatic.com;
- pip install django-csp
- adjust your project’s settings module to add the “django-csp” middleware to your middleware classes
- add the above CSP header
Some more resources:
http://django-csp.readthedocs.io/en/latest/
https://www.templarbit.com/blog/2018/06/14/content-security-policy-with-django
- Make the user in a model default to the current user
- Django Allauth Custom Login Does Not Show Errors
- Django Bi-directional ManyToMany – How to prevent table creation on second model?
4đź‘Ť
That is from the browser in HTML5. Here’s a good article on how to fix it in your headers:
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
There’s also a Django app for handling this header:
http://django-csp.readthedocs.org/en/latest/configuration.html
Good luck!
👤FlipperPA
- AssertionError at /posts/ 'PostList' should either include a `queryset` attribute, or override the `get_queryset()` method
- Performance, load and stress testing in Django
- Django: Lookup by length of text field
- Django ORM – confusion about Router.allow_relation()
- Django ChoiceField populated from database values
Source:stackexchange.com