Content Security Policy
HIdP comes with a strict Content Security Policy (CSP) to protect against cross-site scripting (XSS). If there is already a CSP implementation that sets the CSP header, this will not be overriden.
In order for the CSP to properly work, make sure hidp.csp is in your INSTALLED_APPS:
INSTALLED_APPS = [
...
# Hello, ID Please
"hidp.csp",
]
Decorator
The CSP header is set on views that are decorated with the
hidp.csp.decorators.hidp_csp_protection decorator and does not have the CSP header
already set.
The decorator also generates a nonce that is accessible in the request.
All of HIdP’s relevant views have been decorated with this decorator and it is possible to decorate your own views like this:
from django.utils.decorators import method_decorator
from hidp.csp.decorators import hidp_csp_protection
@method_decorator(hidp_csp_protection, name='dispatch')
class MyCustomView(View):
def get(self, request):
...
Template tag
When you override templates and add scripts and/or styles, they will be blocked by the
CSP by default. In order to allow them, the nonce attribute has to be added, which
is available as a template tag; hidp.csp.templatetags.csp_nonce.
Example use:
{% load csp_nonce %}
<style nonce="{% csp_nonce %}"></style>
<script nonce="{% csp_nonce %}"></script>