From 022a171ddcef128da7b4b72793572c47dea98a19 Mon Sep 17 00:00:00 2001 From: Benjamin Bach Date: Thu, 30 May 2024 11:08:03 +0200 Subject: [PATCH] Refs #15727 - Docs: Added CSP to Security topic --- docs/topics/security.txt | 37 ++++++++++++++++++++++++++++++++++++- 1 file changed, 36 insertions(+), 1 deletion(-) diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 0f6f05163a..e031d45f19 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -18,7 +18,7 @@ by the user's browser. However, XSS attacks can originate from any untrusted source of data, such as cookies or web services, whenever the data is not sufficiently sanitized before including in a page. -Using Django templates protects you against the majority of XSS attacks. +Using Django templates protects you against many types of XSS attacks. However, it is important to understand what protections it provides and its limitations. @@ -49,6 +49,39 @@ You should also be very careful when storing HTML in the database, especially when that HTML is retrieved and displayed. +.. _csp: + +Content Security Policy (CSP) +============================= + +It's widely recommended to add a Content Security Policy (CSP) to your website +in order to protect the website and its users from XSS attacks as mentioned in +the previous chapter. CSP defines which source servers that are allowed to embed +content such as scripts, stylesheets, images and fonts into your webpages. + +CSP is defined by one or more HTTP headers sent from the web server. The headers +follow a special format, informing the browser about which sources it is allowed +to fetch content from for this particular domain. + +This allows you to mitigate a wide range of attacks. For instance, an attacker +could try to sneak in code for an XSS attack that would embed a malicious +JavaScript to spy on the user. By adding CSP headers, your web server will +inform the user's browser that such a script is never acceptable in the first +place. + +CSP can be enabled by adding an external Django package, providing a middleware +and an easy configuration layer **or** by configuring your HTTP server to add +these headers. + +.. tip:: + + Content Security Policy is quite advanced, and it's recommended to read more + on Wikipedia or OWASP. For instance, it's possible to define a reporting URL + that the browser will contact through a POST request in case of violations of + your policy. In that way, you may softly implement CSP without blocking + requests and only enforce the policy once you know more from reports. + + Cross site request forgery (CSRF) protection ============================================ @@ -79,6 +112,8 @@ HSTS for supported browsers. Be very careful with marking views with the ``csrf_exempt`` decorator unless it is absolutely necessary. + + .. _sql-injection-protection: SQL injection protection