-
Notifications
You must be signed in to change notification settings - Fork 106
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
88 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,80 @@ | ||
|
||
# django-csp v4 Migration Guide | ||
|
||
## Overview | ||
|
||
In the latest version of `django-csp`, the format for configuring Content Security Policy (CSP) | ||
settings has been updated are are backwards-incompatible with prior versions. The previous approach | ||
of using individual settings prefixed with `CSP_` for each directive is no longer valid. Instead, | ||
all CSP settings are now consolidated into one of two dict-based settings: `CONTENT_SECURITY_POLICY` | ||
or `CONTENT_SECURITY_POLICY_REPORT_ONLY`. | ||
|
||
## Migrating from the Old Settings Format | ||
|
||
### Step 1: Identify Existing CSP Settings | ||
|
||
First, locate all the existing CSP settings in your Django project. These settings typically start | ||
with the `CSP_` prefix, such as `CSP_DEFAULT_SRC`, `CSP_SCRIPT_SRC`, `CSP_IMG_SRC`, and | ||
`CSP_EXCLUDE_URL_PREFIXES`. | ||
|
||
### Step 2: Create the New Settings Dictionary | ||
|
||
In your Django project's `settings.py` file, create a new dictionary called | ||
`CONTENT_SECURITY_POLICY` or `CONTENT_SECURITY_POLICY_REPORT_ONLY`, depending on whether you want to | ||
enforce the policy or report violations. | ||
|
||
```python | ||
CONTENT_SECURITY_POLICY = { | ||
"EXCLUDE_URL_PREFIXES": [], | ||
"DIRECTIVES": {}, | ||
} | ||
``` | ||
|
||
### Step 3: Migrate Existing Settings | ||
|
||
Migrate your existing CSP settings to the new format by populating the `DIRECTIVES` dictionary | ||
inside the `CONTENT_SECURITY_POLICY` setting. The keys of the `DIRECTIVES` dictionary should be the | ||
CSP directive names in lowercase, and the values should be lists containing the corresponding | ||
sources. | ||
|
||
For example, if you had the following old settings: | ||
|
||
```python | ||
CSP_DEFAULT_SRC = ["'self'", "*.example.com"] | ||
CSP_SCRIPT_SRC = ["'self'", "js.cdn.com/example/"] | ||
CSP_IMG_SRC = ["'self'", "data:", "example.com"] | ||
CSP_EXCLUDE_URL_PREFIXES = ["/admin"] | ||
``` | ||
|
||
The new settings would be: | ||
|
||
```python | ||
CONTENT_SECURITY_POLICY = { | ||
"EXCLUDE_URL_PREFIXES": ["/admin"], | ||
"DIRECTIVES": { | ||
"default-src": ["'self'", "*.example.com"], | ||
"script-src": ["'self'", "js.cdn.com/example/"], | ||
"img-src": ["'self'", "data:", "example.com"], | ||
}, | ||
} | ||
``` | ||
|
||
Note that the directive names in the `DIRECTIVES` dictionary are in lowercase and use dashes instead | ||
of underscores. | ||
|
||
### Step 4: Remove Old Settings | ||
|
||
After migrating to the new settings format, remove all the old `CSP_` prefixed settings from your | ||
`settings.py` file. | ||
|
||
### Step 5: Update the django-csp Version | ||
|
||
Finally, update your `django-csp` version to the latest version that support the new settings | ||
format. | ||
|
||
## Conclusion | ||
|
||
By following this migration guide, you should be able to successfully update your Django project to | ||
use the new dict-based CSP settings format introduced in the latest version of `django-csp`. This | ||
change aligns the package with the latest CSP specification and provides a more organized and | ||
flexible way to configure your Content Security Policy. |