➕(back) install and configure django csp (#1085)

We want to protect all requests from django with content security policy header. We use the djang-csp library and configure it with default values. Fixes #1000
2025-06-30 10:42:48 +02:00
parent 4ae757ce93
commit dfdfe83db5
6 changed files with 196 additions and 107 deletions
--- a/src/backend/impress/settings.py
+++ b/src/backend/impress/settings.py
@@ -18,9 +18,12 @@ from django.utils.translation import gettext_lazy as _

 import sentry_sdk
 from configurations import Configuration, values
+from csp.constants import NONE
 from sentry_sdk.integrations.django import DjangoIntegration
 from sentry_sdk.integrations.logging import ignore_logger

+# pylint: disable=too-many-lines
+
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 DATA_DIR = os.getenv("DATA_DIR", os.path.join("/", "data"))
@@ -289,6 +292,7 @@ class Base(Configuration):
        "django.contrib.auth.middleware.AuthenticationMiddleware",
        "django.contrib.messages.middleware.MessageMiddleware",
        "dockerflow.django.middleware.DockerflowMiddleware",
+        "csp.middleware.CSPMiddleware",
    ]

    AUTHENTICATION_BACKENDS = [
@@ -322,6 +326,7 @@ class Base(Configuration):
        # OIDC third party
        "mozilla_django_oidc",
        "lasuite.malware_detection",
+        "csp",
    ]

    # Cache
@@ -721,6 +726,38 @@ class Base(Configuration):
        environ_prefix=None,
    )

+    # Content Security Policy
+    # See https://content-security-policy.com/ for more information.
+    CONTENT_SECURITY_POLICY = {
+        "EXCLUDE_URL_PREFIXES": values.ListValue(
+            [],
+            environ_name="CONTENT_SECURITY_POLICY_EXCLUDE_URL_PREFIXES",
+            environ_prefix=None,
+        ),
+        "DIRECTIVES": values.DictValue(
+            default={
+                "default-src": [NONE],
+                "script-src": [NONE],
+                "style-src": [NONE],
+                "img-src": [NONE],
+                "connect-src": [NONE],
+                "font-src": [NONE],
+                "object-src": [NONE],
+                "media-src": [NONE],
+                "frame-src": [NONE],
+                "child-src": [NONE],
+                "form-action": [NONE],
+                "frame-ancestors": [NONE],
+                "base-uri": [NONE],
+                "worker-src": [NONE],
+                "manifest-src": [NONE],
+                "prefetch-src": [NONE],
+            },
+            environ_name="CONTENT_SECURITY_POLICY_DIRECTIVES",
+            environ_prefix=None,
+        ),
+    }
+
    # pylint: disable=invalid-name
    @property
    def ENVIRONMENT(self):