Configuring the Content Security Policy ¶

MDN docs

The Mozilla Developer Network has more on Content Security Policy

The HTTP Content-Security-Policy response header allows web site administrators to control resources the user agent is allowed to load for a given page.

With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks

Strict CSP

Benefits configures a Strict Content Security Policy. Read more about Strict CSP from Google: https://csp.withgoogle.com/docs/strict-csp.html.

`django-csp` ¶

django-csp docs

Configuring django-csp

Benefits uses the open source django-csp library for helping to configure the correct response headers.

Environment Variables ¶

`DJANGO_CSP_CONNECT_SRC` ¶

Comma-separated list of URIs. Configures the connect-src Content Security Policy directive.

`DJANGO_CSP_FONT_SRC` ¶

Comma-separated list of URIs. Configures the font-src Content Security Policy directive.

`DJANGO_CSP_FRAME_SRC` ¶

Comma-separated list of URIs. Configures the frame-src Content Security Policy directive.

`DJANGO_CSP_SCRIPT_SRC` ¶

Comma-separated list of URIs. Configures the script-src Content Security Policy directive.

`DJANGO_CSP_STYLE_SRC` ¶

Comma-separated list of URIs. Configures the style-src Content Security Policy directive.

Configuring the Content Security Policy ¶

django-csp ¶

Environment Variables ¶

DJANGO_CSP_CONNECT_SRC ¶

DJANGO_CSP_FONT_SRC ¶

DJANGO_CSP_FRAME_SRC ¶

DJANGO_CSP_SCRIPT_SRC ¶

DJANGO_CSP_STYLE_SRC ¶