1
0
mirror of https://github.com/django/django.git synced 2024-12-23 01:25:58 +00:00

Added more precision to new CSP section

This commit is contained in:
Benjamin Bach 2024-05-30 11:44:43 +02:00 committed by bbb
parent f95d196487
commit fdd9bbf7e5
No known key found for this signature in database
GPG Key ID: 486F0D69C845416E

View File

@ -55,19 +55,19 @@ Content Security Policy (CSP)
=============================
It's widely recommended to add a Content Security Policy (CSP) to your website
in order to protect the website and its users from XSS attacks as mentioned in
the previous chapter. CSP defines which source servers that are allowed to embed
content such as scripts, stylesheets, images and fonts into your web pages.
in order to protect from for instance XSS attacks. CSP defines which source
domains that are allowed to embed content such as scripts, stylesheets, images
and fonts into your web pages.
CSP is defined by one or more HTTP headers sent from the web server. The headers
CSP consists of one or more HTTP headers sent from the web server. The headers
follow a special format, informing the browser about which sources it is allowed
to fetch content from for this particular domain.
to fetch content from for this particular domain. This allows you to mitigate a
wide range of attacks.
This allows you to mitigate a wide range of attacks. For instance, an attacker
could try to sneak in code for an XSS attack that would embed a malicious
JavaScript to spy on the user. By adding CSP headers, your web server will
inform the user's browser that such a script is never acceptable in the first
place.
For instance, an attacker could try to sneak in code for an XSS attack that
would embed a malicious JavaScript, image or font into your web page. By adding
CSP headers, your web server will inform the user's browser that such a content
file is never acceptable in the first place.
CSP can be enabled by adding an external Django package, providing a middleware
and an easy configuration layer **or** by configuring your HTTP server to add
@ -112,8 +112,6 @@ HSTS for supported browsers.
Be very careful with marking views with the ``csrf_exempt`` decorator unless
it is absolutely necessary.
.. _sql-injection-protection:
SQL injection protection