Bird
Raised Fist0
Djangoframework~5 mins

Content Security Policy in Django - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is Content Security Policy (CSP)?
Content Security Policy is a security feature that helps prevent attacks like cross-site scripting (XSS) by controlling which resources (scripts, styles, images) a web page can load.
Click to reveal answer
intermediate
How do you add a Content Security Policy header in Django?
You can add CSP headers in Django by using middleware or third-party packages like django-csp, which lets you define policies in your settings to control resource loading.
Click to reveal answer
beginner
What does the directive script-src 'self' mean in a CSP?
It means the page is only allowed to load and run scripts that come from the same origin (domain) as the page itself, blocking scripts from other sources.
Click to reveal answer
intermediate
Why is it important to avoid using unsafe-inline in CSP?
Using unsafe-inline allows inline scripts, which can open doors to XSS attacks. Avoiding it makes your site safer by only allowing trusted external scripts.
Click to reveal answer
beginner
Name a common Django package used to implement CSP easily.
The package django-csp is commonly used to add and manage Content Security Policy headers in Django projects.
Click to reveal answer
What is the main purpose of Content Security Policy in Django?
ATo control which resources the browser can load to improve security
BTo speed up page loading by caching resources
CTo style the webpage with CSS
DTo manage user authentication
Which directive restricts where scripts can be loaded from in CSP?
Astyle-src
Bimg-src
Cscript-src
Dconnect-src
In Django, which method is commonly used to add CSP headers?
AWriting CSP in templates only
BAdding CSP in models.py
CUsing Django admin panel settings
DUsing middleware or django-csp package
What risk does allowing unsafe-inline scripts in CSP introduce?
ACross-site scripting (XSS) attacks
BSlower page load times
CBroken images
DAuthentication failures
Which of these is NOT a valid CSP directive?
Afont-src
Bdata-src
Cimg-src
Dmedia-src
Explain how Content Security Policy helps protect a Django web application.
Think about what kinds of attacks CSP blocks and how it tells the browser what is safe.
You got /4 concepts.
    Describe how to implement a basic Content Security Policy in a Django project.
    Focus on the steps from installing a package to setting rules.
    You got /4 concepts.

      Practice

      (1/5)
      1. What is the main purpose of Content Security Policy (CSP) in a Django application?
      easy
      A. To handle database migrations automatically
      B. To speed up the loading time of the website
      C. To control which external resources can be loaded by the browser
      D. To manage user authentication and sessions

      Solution

      1. Step 1: Understand CSP's role in security

        CSP is designed to restrict what content the browser can load, preventing harmful scripts or resources.

      2. Step 2: Identify the correct purpose among options

        Only To control which external resources can be loaded by the browser describes controlling external resource loading, which matches CSP's function.

      3. Final Answer:

        To control which external resources can be loaded by the browser -> Option C

      4. Quick Check:

        CSP purpose = control resource loading [OK]
      Hint: CSP controls resource loading to improve security [OK]
      Common Mistakes:
      • Confusing CSP with performance optimization
      • Thinking CSP manages user sessions
      • Assuming CSP handles database tasks
      2. Which of the following is the correct way to add a CSP header in a Django view?
      easy
      A. response.setHeader('Content-Security-Policy', "default-src 'self'")
      B. response['headers']['Content-Security-Policy'] = "default-src 'self'"
      C. response.set_header('Content-Security-Policy', "default-src 'self'")
      D. response['Content-Security-Policy'] = "default-src 'self'"

      Solution

      1. Step 1: Recall Django HttpResponse header syntax

        In Django, headers are set by assigning to response['Header-Name'].

      2. Step 2: Match the correct syntax

        response['Content-Security-Policy'] = "default-src 'self'" uses response['Content-Security-Policy'] = "default-src 'self'", which is correct Django syntax.

      3. Final Answer:

        response['Content-Security-Policy'] = "default-src 'self'" -> Option D

      4. Quick Check:

        Django header set = response['Header'] = value [OK]
      Hint: Use response['Header-Name'] = value to set headers in Django [OK]
      Common Mistakes:
      • Using JavaScript or Flask header syntax in Django
      • Calling non-existent methods like setHeader
      • Trying to set headers via response.headers dictionary
      3. Given this Django middleware snippet, what CSP header will be sent in the response? 
      class CSPMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response

    def __call__(self, request):
        response = self.get_response(request)
        response['Content-Security-Policy'] = "script-src 'self' https://cdn.example.com"
        return response
      medium
      A. Content-Security-Policy: default-src 'self'
      B. Content-Security-Policy: script-src 'self' https://cdn.example.com
      C. No Content-Security-Policy header is set
      D. Content-Security-Policy: script-src 'none'

      Solution

      1. Step 1: Analyze the middleware code

        The middleware sets response['Content-Security-Policy'] to "script-src 'self' https://cdn.example.com" before returning the response.

      2. Step 2: Determine the header sent

        The header sent will exactly match the assigned string in the middleware.

      3. Final Answer:

        Content-Security-Policy: script-src 'self' https://cdn.example.com -> Option B

      4. Quick Check:

        Middleware sets CSP header = script-src 'self' https://cdn.example.com [OK]
      Hint: Middleware sets header exactly as assigned before returning response [OK]
      Common Mistakes:
      • Assuming default-src is set instead of script-src
      • Thinking header is not set because of missing return
      • Confusing middleware with view-level headers
      4. You added this CSP header in Django but your inline scripts stopped working: 
      response['Content-Security-Policy'] = "default-src 'self'"
      What is the likely cause and fix?
      medium
      A. Inline scripts blocked; add 'unsafe-inline' to script-src directive
      B. Header syntax error; remove quotes around 'self'
      C. Missing HTTPS; change 'self' to https://self
      D. No fix needed; inline scripts should work by default

      Solution

      1. Step 1: Understand CSP default-src effect on scripts

        default-src 'self' blocks inline scripts by default because inline scripts are unsafe.

      2. Step 2: Fix by allowing inline scripts explicitly

        Adding 'unsafe-inline' to script-src directive allows inline scripts to run.

      3. Final Answer:

        Inline scripts blocked; add 'unsafe-inline' to script-src directive -> Option A

      4. Quick Check:

        Inline scripts need 'unsafe-inline' in CSP [OK]
      Hint: Add 'unsafe-inline' to allow inline scripts in CSP [OK]
      Common Mistakes:
      • Removing quotes around 'self' breaks CSP syntax
      • Changing 'self' to https://self is invalid
      • Assuming inline scripts work without explicit permission
      5. You want to allow images from your own site and from https://images.example.com but block all other sources. Which CSP header directive is correct in Django?
      hard
      A. response['Content-Security-Policy'] = "img-src 'self' https://images.example.com; default-src 'none'"
      B. response['Content-Security-Policy'] = "default-src 'self' https://images.example.com"
      C. response['Content-Security-Policy'] = "img-src *; default-src 'self'"
      D. response['Content-Security-Policy'] = "img-src 'none'; default-src https://images.example.com"

      Solution

      1. Step 1: Identify directives to allow images only from specific sources

        img-src directive controls image sources; 'self' allows own site, plus https://images.example.com.

      2. Step 2: Block all other sources by setting default-src to 'none'

        default-src 'none' blocks everything else not explicitly allowed.

      3. Final Answer:

        response['Content-Security-Policy'] = "img-src 'self' https://images.example.com; default-src 'none'" -> Option A

      4. Quick Check:

        Allow images from self and example.com, block others [OK]
      Hint: Use img-src for images and default-src 'none' to block others [OK]
      Common Mistakes:
      • Using default-src for images allows too many sources
      • Using img-src * allows all images, not secure
      • Setting img-src 'none' blocks all images