{"id":2475,"library":"django-csp","title":"Django CSP","description":"django-csp provides robust Content Security Policy (CSP) support for Django applications. It helps mitigate cross-site scripting (XSS) and other code injection attacks by adding CSP headers to HTTP responses. The latest major version is 4.0, which introduced significant breaking changes to its configuration format. The project is actively maintained, typically releasing updates to support new Django and Python versions.","status":"active","version":"4.0","language":"en","source_language":"en","source_url":"https://github.com/mozilla/django-csp","tags":["django","security","csp","content-security-policy","middleware"],"install":[{"cmd":"pip install django-csp","lang":"bash","label":"Install stable version"}],"dependencies":[],"imports":[{"symbol":"CSPMiddleware","correct":"from csp.middleware import CSPMiddleware"},{"symbol":"CSPReportMiddleware","correct":"from csp.middleware import CSPReportMiddleware"},{"symbol":"nonce","correct":"from csp.utils import nonce"},{"note":"Removed in v4.0; use CSP_AUTO_NONCE or CSP_NONCE_URL_PREFIXES instead.","wrong":"from csp.middleware import CSPMiddlewareAlwaysGenerateNonce","symbol":"CSPMiddlewareAlwaysGenerateNonce","correct":"N/A"}],"quickstart":{"code":"# settings.py\n\nINSTALLED_APPS = [\n # ...\n \"csp\",\n]\n\nMIDDLEWARE = [\n # ...\n \"csp.middleware.CSPMiddleware\",\n # Optionally, for reporting only:\n # \"csp.middleware.CSPReportMiddleware\",\n # ...\n]\n\n# Basic CSP policy, enforce for all pages by default\nCONTENT_SECURITY_POLICY = {\n \"default-src\": [\"'self'\"],\n \"script-src\": [\"'self'\", \"'unsafe-inline'\", \"'unsafe-eval'\", \"'nonce-{{ nonce }}'\"],\n \"style-src\": [\"'self'\", \"'unsafe-inline'\", \"'nonce-{{ nonce }}'\"],\n \"img-src\": [\"'self'\", \"data:\", \"https://example.com\"],\n \"report-uri\": [\"/csp-report/\"],\n}\n\n# To enable automatic nonce generation (recommended for inline scripts/styles)\nCSP_AUTO_NONCE = True\n\n# urls.py\n\nfrom django.urls import path\nfrom django.views.decorators.csrf import csrf_exempt\nfrom csp.views import report\n\nurlpatterns = [\n # Your other URLs...\n path(\"csp-report/\", csrf_exempt(report), name=\"csp-report\"),\n]\n\n# In your templates (e.g., base.html) to apply nonce to inline elements:\n# {% load csp %}\n# \n# ","lang":"python","description":"To integrate django-csp, add `csp` to `INSTALLED_APPS` and `CSPMiddleware` to your `MIDDLEWARE` list. Define your Content Security Policy directives using the `CONTENT_SECURITY_POLICY` dictionary in `settings.py`. For nonce-based policies, set `CSP_AUTO_NONCE = True` and use the `{% csp_nonce %}` template tag for inline scripts and styles."},"warnings":[{"fix":"Migrate your CSP settings to the new dictionary-based format. Consult the official migration guide for v4.0.","message":"The configuration format changed significantly in v4.0. Old `CSP_` prefixed settings (e.g., `CSP_DEFAULT_SRC`, `CSP_REPORT_ONLY`) are removed. Policies must now be defined using dictionaries `CONTENT_SECURITY_POLICY` and `CONTENT_SECURITY_POLICY_REPORT_ONLY`.","severity":"breaking","affected_versions":"4.0+"},{"fix":"Remove `CSPMiddlewareAlwaysGenerateNonce` from your `MIDDLEWARE` list and rely on `CSP_AUTO_NONCE = True` (in settings) or `CSP_NONCE_URL_PREFIXES` for automatic nonce generation.","message":"The `CSPMiddlewareAlwaysGenerateNonce` middleware and the `CSP_ALWAYS_GENERATE_NONCE` setting were removed in v4.0. Nonce generation is now controlled by `CSP_AUTO_NONCE` or `CSP_NONCE_URL_PREFIXES`.","severity":"breaking","affected_versions":"4.0+"},{"fix":"Ensure `{% load csp %}` is present in your template, and apply `nonce=\"{% csp_nonce %}\"` to all inline `