Introduce a Content Security Policy (using django-csp as new dependency)

Add django-csp to dependencies Load middleware Add config that matches current usage but with most possible restriction

Introduce a Content Security Policy (using django-csp as new dependency)
207e3074 · Benjamin Hättasch · 1e7ca6bf · 207e3074 · 207e3074
Commit 207e3074 authored 3 years ago by Benjamin Hättasch
--- a/AKPlanning/settings.py
+++ b/AKPlanning/settings.py
@@ -63,6 +63,7 @@ MIDDLEWARE = [
    'django.middleware.csrf.CsrfViewMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
+    'csp.middleware.CSPMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
    'simple_history.middleware.HistoryRequestMiddleware',
 ]
@@ -194,4 +195,13 @@ DASHBOARD_RECENT_MAX = 25
 SIMPLE_BACKEND_REDIRECT_URL = "/user/"
 LOGIN_REDIRECT_URL = SIMPLE_BACKEND_REDIRECT_URL

+# Content Security Policy
+CSP_DEFAULT_SRC = ("'self'",)
+CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'")
+CSP_STYLE_SRC = ("'self'", "'unsafe-inline'", "fonts.googleapis.com")
+CSP_IMG_SRC = ("*", "data:")
+CSP_MEDIA_SRC = ("*", )
+CSP_FRAME_SRC = ("'self'", )
+CSP_FONT_SRC = ("'self'", "data:", "fonts.gstatic.com")
+
 include(optional("settings/*.py"))
--- a/requirements.txt
+++ b/requirements.txt
@@ -8,5 +8,6 @@ django-simple-history==3.0.0
 django-registration-redux==2.9
 django-debug-toolbar==3.2.1
 django-bootstrap-datepicker-plus==3.0.5
+django-csp==3.7
 mysqlclient==2.0.3  # for production deployment
 pytz==2021.1