I’m writing to express interest in adding CSP support to Django. The motivation behind this is to provide built-in support for Content Security Policy (CSP), a crucial security feature that helps mitigate a range of attacks such as Cross-Site Scripting (XSS) and data injection attacks.
I have reviewed previous discussions and seen several PRs that never quite made it over the finish line. The general consensus seems to be that most people agree this would be beneficial for Django, although there’s some disagreement on some of the finer details. I’m hoping to spark discussion on those and find consensus.
As the current maintainer of django-csp, I have a good understanding of its strengths and areas for improvement. While I don’t think django-csp should be copied verbatim, I’m willing to adapt the good parts to fit Django standards. I’d love it if this could make it into Django 5.2, and alongside this, I’d like django-csp 4.0 to match the configuration style. This way, it would serve as a good third-party package for those not yet on Django 5.2, while also minimizing the work required to upgrade.
I have initiated a branch if you’d like to see the current direction, but wanted to share my intention here before creating a draft PR to get some general feedback and gauge interest. The branch includes several “TODO” comments on areas I consider open for discussion, which would be easier to comment on once a draft PR is published:
Looking forward to your thoughts and collaboration.
I have reviewed previous discussions and seen several PRs that never quite made it over the finish line. The general consensus seems to be that most people agree this would be beneficial for Django, although there’s some disagreement on some of the finer details.
Would you mind referencing these discussions? Just so that curious people can read up before responding
I’ll gladly admit that CSP often slips my mind in projects, simply because Django provides lots of security, so it’s easy to get lazy and assume that it’s all taken care of. I think I’ve mostly added it in Nginx, but maybe also with django-csp in the earlier days.
It would seem like - no matter the outcome of this discussion - the Django Docs topic on Security could have a section on CSP.
Sure! There may be others but this is what I could find again from browser history…
django-developers list:
A comment from James Bennett, “Content Security Policy support in core. The current django-csp third-party app isn’t necessarily bad, but I’d love to see more good security tools in Django by default.” referenced here
PR from 2014:
PR from 2015:
PR from 2023:
I think I’ll create my own draft PR for my branch now to make it easier to discuss.
really cool that you picked that up. I’m wondering why Adam Johnson didn’t yet jump on this train. If I remember correctly, he argued in favour of this at DjangoCon Europe 2018.
If we add something like this, I’m wondering if we should make Django compliant as well. AFAIK there is an issue with the admin that you have to have unsafe-inline to be set, otherwise some features don’t work. I couldn’t reproduce it on the fly. Does anybody know more about that?
