Skip to content
Snippets Groups Projects
Commit 207e3074 authored by Benjamin Hättasch's avatar Benjamin Hättasch
Browse files

Introduce a Content Security Policy (using django-csp as new dependency)

Add django-csp to dependencies
Load middleware
Add config that matches current usage but with most possible restriction
parent 1e7ca6bf
No related branches found
No related tags found
1 merge request!98Introduce CSP and update js dependencies accordingly
......@@ -63,6 +63,7 @@ MIDDLEWARE = [
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'csp.middleware.CSPMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'simple_history.middleware.HistoryRequestMiddleware',
]
......@@ -194,4 +195,13 @@ DASHBOARD_RECENT_MAX = 25
SIMPLE_BACKEND_REDIRECT_URL = "/user/"
LOGIN_REDIRECT_URL = SIMPLE_BACKEND_REDIRECT_URL
# Content Security Policy
CSP_DEFAULT_SRC = ("'self'",)
CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'")
CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "fonts.googleapis.com")
CSP_IMG_SRC = ("*", "data:")
CSP_MEDIA_SRC = ("*", )
CSP_FRAME_SRC = ("'self'", )
CSP_FONT_SRC = ("'self'", "data:", "fonts.gstatic.com")
include(optional("settings/*.py"))
......@@ -8,5 +8,6 @@ django-simple-history==3.0.0
django-registration-redux==2.9
django-debug-toolbar==3.2.1
django-bootstrap-datepicker-plus==3.0.5
django-csp==3.7
mysqlclient==2.0.3 # for production deployment
pytz==2021.1
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment