0
0
Djangoframework~20 mins

Content Security Policy in Django - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
CSP Mastery in Django
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What happens when a script violates the CSP in Django?
If a Django app has a Content Security Policy that disallows inline scripts, what will happen if the page tries to run an inline <script> block?
AThe inline script runs normally without any warnings or errors.
BThe Django server throws an error and stops serving the page.
CThe browser blocks the inline script from running and logs a CSP violation in the console.
DThe inline script runs but logs a warning on the server side.
Attempts:
2 left
💡 Hint
Think about how browsers enforce CSP policies on the client side.
📝 Syntax
intermediate
2:00remaining
Which Django middleware setting correctly enables CSP with default-src 'self'?
Choose the correct way to add Content Security Policy middleware in Django settings to allow resources only from the same origin.
A
MIDDLEWARE = ['django.middleware.security.SecurityMiddleware', 'csp.middleware.CSPMiddleware']
CSP_DEFAULT_SRC = ("self",)
B
MIDDLEWARE = ['django.middleware.security.SecurityMiddleware', 'csp.middleware.CSPMiddleware']
CSP_DEFAULT_SRC = ("'self'",)
C
MIDDLEWARE = ['django.middleware.security.SecurityMiddleware', 'csp.middleware.CSPMiddleware']
CSP_DEFAULT_SRC = ['self']
D
MIDDLEWARE = ['csp.middleware.CSPMiddleware', 'django.middleware.security.SecurityMiddleware']
CSP_DEFAULT_SRC = ['self']
Attempts:
2 left
💡 Hint
Remember the CSP_DEFAULT_SRC value must be a tuple with quotes around 'self'.
🔧 Debug
advanced
2:00remaining
Why does this CSP header cause a browser error?
Given this Django CSP header: Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline', why might the browser still block inline scripts?
ABecause the CSP header syntax is invalid due to missing semicolons.
BBecause the CSP header is missing the <code>style-src</code> directive, which is required for scripts.
CBecause 'unsafe-inline' is not a valid CSP keyword and causes the header to be ignored.
DBecause the browser requires a nonce or hash for inline scripts even if 'unsafe-inline' is present in some strict modes.
Attempts:
2 left
💡 Hint
Consider modern browser security policies and how they treat 'unsafe-inline'.
state_output
advanced
2:00remaining
What is the effect of this Django CSP setting on image loading?
If Django settings include CSP_IMG_SRC = ("'self'", 'https://images.example.com'), what images will the browser allow to load?
AOnly images from the same origin and from https://images.example.com will load; others are blocked.
BAll images will load regardless of source because CSP_IMG_SRC is ignored.
COnly images from https://images.example.com will load; same origin images are blocked.
DNo images will load because the syntax is invalid.
Attempts:
2 left
💡 Hint
Think about what 'self' means in CSP and how multiple sources work.
🧠 Conceptual
expert
3:00remaining
Why is using CSP with nonce better than 'unsafe-inline' in Django?
In Django, why is it more secure to use a nonce-based Content Security Policy for scripts instead of allowing 'unsafe-inline'?
ANonce-based CSP allows inline scripts only if they have a matching nonce, preventing attackers from injecting scripts without the nonce.
B'unsafe-inline' is more secure because it allows all inline scripts, making debugging easier.
CNonce-based CSP disables all scripts, which is safer than allowing any inline scripts.
D'unsafe-inline' requires a nonce to work, so they are equivalent in security.
Attempts:
2 left
💡 Hint
Consider how CSP nonces help prevent cross-site scripting attacks.