diff --git a/docs/topics/security.txt b/docs/topics/security.txt index 4f235700d2..f34dcc45be 100644 --- a/docs/topics/security.txt +++ b/docs/topics/security.txt @@ -55,19 +55,19 @@ Content Security Policy (CSP) ============================= It's widely recommended to add a Content Security Policy (CSP) to your website -in order to protect the website and its users from XSS attacks as mentioned in -the previous chapter. CSP defines which source servers that are allowed to embed -content such as scripts, stylesheets, images and fonts into your web pages. +in order to protect from for instance XSS attacks. CSP defines which source +domains that are allowed to embed content such as scripts, stylesheets, images +and fonts into your web pages. -CSP is defined by one or more HTTP headers sent from the web server. The headers +CSP consists of one or more HTTP headers sent from the web server. The headers follow a special format, informing the browser about which sources it is allowed -to fetch content from for this particular domain. +to fetch content from for this particular domain. This allows you to mitigate a +wide range of attacks. -This allows you to mitigate a wide range of attacks. For instance, an attacker -could try to sneak in code for an XSS attack that would embed a malicious -JavaScript to spy on the user. By adding CSP headers, your web server will -inform the user's browser that such a script is never acceptable in the first -place. +For instance, an attacker could try to sneak in code for an XSS attack that +would embed a malicious JavaScript, image or font into your web page. By adding +CSP headers, your web server will inform the user's browser that such a content +file is never acceptable in the first place. CSP can be enabled by adding an external Django package, providing a middleware and an easy configuration layer **or** by configuring your HTTP server to add @@ -112,8 +112,6 @@ HSTS for supported browsers. Be very careful with marking views with the ``csrf_exempt`` decorator unless it is absolutely necessary. - - .. _sql-injection-protection: SQL injection protection