mirror of
https://github.com/django/django.git
synced 2025-03-31 11:37:06 +00:00
Refs #15727 - Docs: Added CSP to Security topic
This commit is contained in:
parent
ff308a0604
commit
022a171ddc
@ -18,7 +18,7 @@ by the user's browser. However, XSS attacks can originate from any untrusted
|
||||
source of data, such as cookies or web services, whenever the data is not
|
||||
sufficiently sanitized before including in a page.
|
||||
|
||||
Using Django templates protects you against the majority of XSS attacks.
|
||||
Using Django templates protects you against many types of XSS attacks.
|
||||
However, it is important to understand what protections it provides
|
||||
and its limitations.
|
||||
|
||||
@ -49,6 +49,39 @@ You should also be very careful when storing HTML in the database, especially
|
||||
when that HTML is retrieved and displayed.
|
||||
|
||||
|
||||
.. _csp:
|
||||
|
||||
Content Security Policy (CSP)
|
||||
=============================
|
||||
|
||||
It's widely recommended to add a Content Security Policy (CSP) to your website
|
||||
in order to protect the website and its users from XSS attacks as mentioned in
|
||||
the previous chapter. CSP defines which source servers that are allowed to embed
|
||||
content such as scripts, stylesheets, images and fonts into your webpages.
|
||||
|
||||
CSP is defined by one or more HTTP headers sent from the web server. The headers
|
||||
follow a special format, informing the browser about which sources it is allowed
|
||||
to fetch content from for this particular domain.
|
||||
|
||||
This allows you to mitigate a wide range of attacks. For instance, an attacker
|
||||
could try to sneak in code for an XSS attack that would embed a malicious
|
||||
JavaScript to spy on the user. By adding CSP headers, your web server will
|
||||
inform the user's browser that such a script is never acceptable in the first
|
||||
place.
|
||||
|
||||
CSP can be enabled by adding an external Django package, providing a middleware
|
||||
and an easy configuration layer **or** by configuring your HTTP server to add
|
||||
these headers.
|
||||
|
||||
.. tip::
|
||||
|
||||
Content Security Policy is quite advanced, and it's recommended to read more
|
||||
on Wikipedia or OWASP. For instance, it's possible to define a reporting URL
|
||||
that the browser will contact through a POST request in case of violations of
|
||||
your policy. In that way, you may softly implement CSP without blocking
|
||||
requests and only enforce the policy once you know more from reports.
|
||||
|
||||
|
||||
Cross site request forgery (CSRF) protection
|
||||
============================================
|
||||
|
||||
@ -79,6 +112,8 @@ HSTS for supported browsers.
|
||||
Be very careful with marking views with the ``csrf_exempt`` decorator unless
|
||||
it is absolutely necessary.
|
||||
|
||||
|
||||
|
||||
.. _sql-injection-protection:
|
||||
|
||||
SQL injection protection
|
||||
|
Loading…
x
Reference in New Issue
Block a user