mirrors/django
1
0
Fork 0
mirror of https://github.com/django/django.git synced 2024-12-22 09:05:43 +00:00
Code Issues 25 Releases Wiki Activity

Add a CSP section to the 5.2 release notes

Browse Source
This commit is contained in:
Rob Hudson 2024-12-21 11:09:58 -08:00
parent d30fab2c5d
commit 77e89b49e5
2 changed files with 45 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/ref/csp.txt
View File

@ -10,9 +10,9 @@ Content Security Policy (CSP)
:synopsis: Middleware for Content Security Policy headers
Content Security Policy (CSP) is a web security standard that helps prevent
attacks by controlling the sources from which content can be loaded. :ref:`CSP
enforcement <security-csp>` plays an important role in a comprehensive security
strategy.
attacks by controlling the sources from which content can be loaded. CSP
enforcement plays an important role in a comprehensive :doc:`security strategy
</topics/security>`.
.. _using-csp:

42
docs/releases/5.2.txt
View File

@ -50,6 +50,48 @@ be a ``CompositePrimaryKey``::
See :doc:`/topics/composite-primary-key` for more details.
Content Security Policy (CSP) Support
-------------------------------------
Django 5.2 introduces built-in :ref:`Content Security Policy (CSP)
<security-csp>` support, making it easier to protect your application against
various types of content injection attacks. CSP helps you specify which content
sources are allowed to be loaded by the browser.
To enable CSP, add the
:class:`~django.middleware.csp.ContentSecurityPolicyMiddleware` to your
settings::
MIDDLEWARE = [
# ...
"django.middleware.csp.ContentSecurityPolicyMiddleware",
# ...
]
You can customize your CSP policy through Django settings:
* :setting:`SECURE_CSP` for the enforced policy
* :setting:`SECURE_CSP_REPORT_ONLY` for the report-only policy
Here's an an example of a basic CSP config::
from django.middleware import csp
SECURE_CSP = {
"DIRECTIVES": {
"default-src": [csp.SELF],
"script-src": [csp.SELF, csp.NONCE],
"style-src": [csp.SELF],
"img-src": [csp.SELF, "https:"],
}
}
Per-view policy customization with can be achieved via the
:func:`~django.views.decorators.csp.csp_exempt` and
:func:`~django.views.decorators.csp.csp_override` decorators.
See :ref:`Using CSP <using-csp>` for more usage details.
Minor features
--------------