mirror of
https://github.com/django/django.git
synced 2024-12-22 17:16:24 +00:00
Add a CSP section to the 5.2 release notes
This commit is contained in:
parent
d30fab2c5d
commit
77e89b49e5
@ -10,9 +10,9 @@ Content Security Policy (CSP)
|
||||
:synopsis: Middleware for Content Security Policy headers
|
||||
|
||||
Content Security Policy (CSP) is a web security standard that helps prevent
|
||||
attacks by controlling the sources from which content can be loaded. :ref:`CSP
|
||||
enforcement <security-csp>` plays an important role in a comprehensive security
|
||||
strategy.
|
||||
attacks by controlling the sources from which content can be loaded. CSP
|
||||
enforcement plays an important role in a comprehensive :doc:`security strategy
|
||||
</topics/security>`.
|
||||
|
||||
.. _using-csp:
|
||||
|
||||
|
@ -50,6 +50,48 @@ be a ``CompositePrimaryKey``::
|
||||
|
||||
See :doc:`/topics/composite-primary-key` for more details.
|
||||
|
||||
Content Security Policy (CSP) Support
|
||||
-------------------------------------
|
||||
|
||||
Django 5.2 introduces built-in :ref:`Content Security Policy (CSP)
|
||||
<security-csp>` support, making it easier to protect your application against
|
||||
various types of content injection attacks. CSP helps you specify which content
|
||||
sources are allowed to be loaded by the browser.
|
||||
|
||||
To enable CSP, add the
|
||||
:class:`~django.middleware.csp.ContentSecurityPolicyMiddleware` to your
|
||||
settings::
|
||||
|
||||
MIDDLEWARE = [
|
||||
# ...
|
||||
"django.middleware.csp.ContentSecurityPolicyMiddleware",
|
||||
# ...
|
||||
]
|
||||
|
||||
You can customize your CSP policy through Django settings:
|
||||
|
||||
* :setting:`SECURE_CSP` for the enforced policy
|
||||
* :setting:`SECURE_CSP_REPORT_ONLY` for the report-only policy
|
||||
|
||||
Here's an an example of a basic CSP config::
|
||||
|
||||
from django.middleware import csp
|
||||
|
||||
SECURE_CSP = {
|
||||
"DIRECTIVES": {
|
||||
"default-src": [csp.SELF],
|
||||
"script-src": [csp.SELF, csp.NONCE],
|
||||
"style-src": [csp.SELF],
|
||||
"img-src": [csp.SELF, "https:"],
|
||||
}
|
||||
}
|
||||
|
||||
Per-view policy customization with can be achieved via the
|
||||
:func:`~django.views.decorators.csp.csp_exempt` and
|
||||
:func:`~django.views.decorators.csp.csp_override` decorators.
|
||||
|
||||
See :ref:`Using CSP <using-csp>` for more usage details.
|
||||
|
||||
Minor features
|
||||
--------------
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user