Website security has been an important factor while developing websites and web applications. Many frameworks come with their own security policies and developers also try to implement the atmost security policies while developing their applications. Still even after this much of hard work hackers will find new ways to penetrate into our app, exploit our code to vulnerabilities. In this article we are going to implement a security header often referred as CSP headers to a Django application.
- HTTP header: HTTP headers let the client and the server pass additional information with an HTTP request or response like MIME type, request status code, cookie and proxy information and more
- XSS: Also abbrevated as Cross Side Scripting, XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users in simple words if exploited can change look and behavior of webpage
- Django: django is an python based web application framework which used to build variety of web apps
What is Content Security Policy?
Some CSP header terminology are
- default-src : the default source to load everything
- style-src : source to load styles
- script-src : source to load javascrpt or generally scripts
- img-src : source to load images
- object-src : source to load media
- report-to : uri to send reports for violating CSP
- ‘self’ : load from same host
- ‘unsafe-inline’ : allow inline styles and scripts
- ‘unsafe-eval’ : allows eval() and similar methods for creating code from strings
- ‘nonce’ : a random string which should be unique per request
How Content Security policy works?
An example of CSP headers is
Content-Security-Policy: default-src 'self'; style-src: 'self' stakpath.bootstrapcdn.com; script 'self' *.cloudflare.com; img-src 'self' imgur.com;
In this CSP header we are telling the browser that the default source for all the styles, scripts, images, objects should be the domain which is passed in the header, along with that we are also allowing stylesheet from stackpath.bootstrapcdn.com which is cdn for bootstrap styles. We are also allowing scripts to be loaded from all Cloudflare subdomains using wildcard subdomain and for images browser can allow to load from imgur.com. Apart from these if the webpage tries to load from other domain like twitter the browser will block the requests.
Implementing CSP headers in django
Django doesn’t come with CSP headers in its core but thanks to Mozilla, they have created a package django-csp to add CSP headers.
# instaling django-csp pip3 install django-csp
add CSP to middleware in our setting.py file of the django project and the we will configure our headers
Configuring CSP headers
Go to settings file of the django project and add the following in the last or anywhere you want
You can add required hostname according to your needs
Instructions to add CSP Header settings in Django Project
Here are some instructions to perfectly implement CSP in your web apps
- Try to avoid adding unnecessary hostnames
- Check as many times as possible while adding or removing hostnames
- Until absolutely necessary don’t add ‘unsafe-inline’, it will weaken our security policy
- Try to avoid inline style and scripts
- Its better not to use CSP in development server right from the start
- Always try to use HTTPS while loading scripts, styles, images.
Attention geek! Strengthen your foundations with the Python Programming Foundation Course and learn the basics.
To begin with, your interview preparations Enhance your Data Structures concepts with the Python DS Course.