Djangoframework~30 mins

Content Security Policy in Django - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Implementing Content Security Policy in Django

📖 Scenario: You are building a Django web application that needs to be secure against common web attacks like cross-site scripting (XSS). To do this, you want to add a Content Security Policy (CSP) header to your HTTP responses.This policy will control which sources of content the browser is allowed to load, helping protect your users.

🎯 Goal: Learn how to set up a basic Content Security Policy in a Django project by adding middleware that sets the CSP header.You will create a simple CSP that allows content only from your own site and trusted sources.

📋 What You'll Learn

Create a Django middleware class that adds a Content-Security-Policy header

Define a CSP policy string that allows scripts and styles only from the same origin

Add the middleware to the Django settings

Verify the CSP header is included in HTTP responses

💡 Why This Matters

🌍 Real World

Content Security Policy helps protect websites from attacks like cross-site scripting by controlling which sources the browser can load content from.

💼 Career

Understanding how to implement CSP in Django is important for web developers focused on security and compliance with best practices.

Progress0 / 4 steps

Create a basic Django middleware class

Create a Django middleware class called ContentSecurityPolicyMiddleware in a file named middleware.py. The class should have an __init__ method that takes get_response and a __call__ method that returns the response unchanged.

Django

# Your code here

Need a hint?

Remember, Django middleware classes have an __init__ method that takes get_response and a __call__ method that takes request and returns a response.

Define the Content Security Policy string

Inside the ContentSecurityPolicyMiddleware class, add a class variable called csp_policy and set it to the string "default-src 'self'; script-src 'self'; style-src 'self'".

Django

class ContentSecurityPolicyMiddleware:
    # Define the CSP policy string here
    
    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        response = self.get_response(request)
        return response

Need a hint?

The CSP string controls which sources are allowed. Use default-src 'self' to allow content only from your own site.

Add the CSP header to the response

Modify the __call__ method in ContentSecurityPolicyMiddleware to add a header named Content-Security-Policy with the value of self.csp_policy to the response before returning it.

Django

class ContentSecurityPolicyMiddleware:
    csp_policy = "default-src 'self'; script-src 'self'; style-src 'self'"

    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        response = self.get_response(request)
        # Add the CSP header here
        return response

Need a hint?

Use response["Content-Security-Policy"] = self.csp_policy to set the header.

Add the middleware to Django settings

In your Django settings.py file, add the string 'yourapp.middleware.ContentSecurityPolicyMiddleware' to the MIDDLEWARE list. Place it near the top, after 'django.middleware.security.SecurityMiddleware'.

Django

# In settings.py
MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    # Add your middleware here
]

Need a hint?

Insert your middleware string into the MIDDLEWARE list in settings.py.