June 14, 2018

Content Security Policy with Django

The best way to protect your Django App from XSS attacks (the most common security vulnerability on the web) is by implementing a Content Security Policy (CSP). CSP actually also helps you detect and mitigate several other types of issues for example clickjacking. This makes a Content Security Policy a great tool to significantly increase the security posture of your web application and protect you and your user base from various malicious activities including data theft, malware distribution, and site defacement.

Here is an example of a standard starter policy permitting the use of Google Analytics, but besides that only allowing images, scripts, AJAX and CSS to load from the your own domains:

Content-Security-Policy: default-src 'none'; script-src 'self' www.google-analytics.com; connect-src 'self'; img-src 'self' www.google-analytics.com; style-src 'self';

More examples and configurations, as well as detailed descriptions about the implementation, can be found here.

Protecting your Django App using a Content Security Policy is straight forward

We recommend integrating your CSP header in Django using the great and widely trusted work provided by the Mozilla foundation, “django-csp”. To install, you can either use pip or the GitHub source:

pip install django-csp
git clone https://github.com/mozilla/django-csp.git
cd django-csp
python setup.py install

Next, you simply adjust your project’s settings module to add the “django-csp” middleware to your middleware classes:

MIDDLEWARE_CLASSES = (
    # ...
    'csp.middleware.CSPMiddleware',
    # ...
)

… but configuring and maintaining said policy can be a challenge

CSP works with a whitelisting approach. Everything that is defined as a trusted source gets to load and all other resources will be blocked and reported. Maintaining a policy as you add new dependencies to your app can be tedious and requires frequent updates. Additionally, to make productive use of your Content Security Policy on your Django application you also need to monitor any violations and record them with an endpoint. Unfortunately, “django-csp” no longer handles report processing itself, so you would need to set up your own app to receive and monitor incoming reports.

Templarbit simplifies the configuration and maintenance of a Content Security Policy for your Django app

At Templarbit, we are building a security platform oriented towards simplifying the life of developers and support them in their efforts to increase the security of the software they build. One of our features is the first intelligent XSS defense delivered via CSP Headers. We provide you with the fastest way to deploy and manage a Content Security Policy for your Django application. Managing updates to your Content Security Policy will become a frictionless experience and happens in real time without pushing any code changes. Powering things behind the scenes are a combination of our proprietary data and machine learning models that allow Templarbit to automatically make a decision on policy changes without relying on human input.

If you want to get started with establishing your Content Security Policy today, you can sign up for a 14-day trial or book a free demo with us.