Configuring django-csp¶
Content-Security-Policy is a complicated header. There are many values you may need to tweak here.
Note
Note when a setting requires a tuple or list. Since Python strings are iterable, you may get very strange policies and errors.
It’s worth reading the latest CSP spec and making sure you understand it before configuring django-csp.
Policy Settings¶
These settings affect the policy in the header. The defaults are in italics.
Note
The “special” source values of 'self'
, 'unsafe-inline'
,
'unsafe-eval'
, and 'none'
must be quoted! e.g.:
CSP_DEFAULT_SRC = ("'self'",)
. Without quotes they will not work
as intended.
CSP_DEFAULT_SRC
- Set the
default-src
directive. A tuple or list of values, e.g.("'self'", 'cdn.example.net')
. ‘self’ CSP_IMG_SRC
- Set the
img-src
directive. A tuple or list. None CSP_OBJECT_SRC
- Set the
object-src
directive. A tuple or list. None CSP_MEDIA_SRC
- Set the
media-src
directive. A tuple or list. None CSP_FRAME_SRC
- Set the
frame-src
directive. A tuple or list. None CSP_FONT_SRC
- Set the
font-src
directive. A tuple or list. None CSP_CONNECT_SRC
- Set the
connect-src
directive. A tuple or list. None CSP_STYLE_SRC
- Set the
style-src
directive. A tuple or list. None CSP_SANDBOX
- Set the
sandbox
directive. A tuple or list. None CSP_REPORT_URI
- Set the
report-uri
directive. A string with a full or relative URI.
Changing the Policy¶
The policy can be changed on a per-view (or even per-request) basis. See the decorator documentation for more details.
Other Settings¶
These settings control the behavior of django-csp. Defaults are in italics.