From 77e89b49e555fb40405c2663adc799277be3e904 Mon Sep 17 00:00:00 2001 From: Rob Hudson Date: Sat, 21 Dec 2024 11:09:58 -0800 Subject: [PATCH] Add a CSP section to the 5.2 release notes --- docs/ref/csp.txt | 6 +++--- docs/releases/5.2.txt | 42 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+), 3 deletions(-) diff --git a/docs/ref/csp.txt b/docs/ref/csp.txt index 08232fb09f..74f5b9e9b2 100644 --- a/docs/ref/csp.txt +++ b/docs/ref/csp.txt @@ -10,9 +10,9 @@ Content Security Policy (CSP) :synopsis: Middleware for Content Security Policy headers Content Security Policy (CSP) is a web security standard that helps prevent -attacks by controlling the sources from which content can be loaded. :ref:`CSP -enforcement ` plays an important role in a comprehensive security -strategy. +attacks by controlling the sources from which content can be loaded. CSP +enforcement plays an important role in a comprehensive :doc:`security strategy +`. .. _using-csp: diff --git a/docs/releases/5.2.txt b/docs/releases/5.2.txt index aaf47ff8e8..dfb8c548b0 100644 --- a/docs/releases/5.2.txt +++ b/docs/releases/5.2.txt @@ -50,6 +50,48 @@ be a ``CompositePrimaryKey``:: See :doc:`/topics/composite-primary-key` for more details. +Content Security Policy (CSP) Support +------------------------------------- + +Django 5.2 introduces built-in :ref:`Content Security Policy (CSP) +` support, making it easier to protect your application against +various types of content injection attacks. CSP helps you specify which content +sources are allowed to be loaded by the browser. + +To enable CSP, add the +:class:`~django.middleware.csp.ContentSecurityPolicyMiddleware` to your +settings:: + + MIDDLEWARE = [ + # ... + "django.middleware.csp.ContentSecurityPolicyMiddleware", + # ... + ] + +You can customize your CSP policy through Django settings: + +* :setting:`SECURE_CSP` for the enforced policy +* :setting:`SECURE_CSP_REPORT_ONLY` for the report-only policy + +Here's an an example of a basic CSP config:: + + from django.middleware import csp + + SECURE_CSP = { + "DIRECTIVES": { + "default-src": [csp.SELF], + "script-src": [csp.SELF, csp.NONCE], + "style-src": [csp.SELF], + "img-src": [csp.SELF, "https:"], + } + } + +Per-view policy customization with can be achieved via the +:func:`~django.views.decorators.csp.csp_exempt` and +:func:`~django.views.decorators.csp.csp_override` decorators. + +See :ref:`Using CSP ` for more usage details. + Minor features --------------