Set the draft security HTTP header Feature-Policy on your Django app.
Project description
django-feature-policy
Set the draft security HTTP header Feature-Policy on your Django app.
Requirements
Tested with all combinations of:
Python: 3.6
Django: 2.0, 2.1, 2.2
Python 3.4+ supported.
Installation
Install with pip:
pip install django-feature-policy
Then add the middleware, best after Django’s SecurityMiddleware as it does similar addition of security headers that you’ll want on every response:
MIDDLEWARE = [
...
'django.middleware.security.SecurityMiddleware',
'django_feature_policy.FeaturePolicyMiddleware',
...
]
By default no header will be set, configure the setting as below.
Setting
Change the FEATURE_POLICY setting to configure what Feature-Policy header gets set.
This should be a dictionary laid out with:
Keys as the names of browser features - a full list is available on the W3 Spec repository. The MDN article is also worth reading.
Values as lists of strings, where each string is either an origin, e.g. 'https://example.com', or of the special values 'self', 'none', or '*'. If there is just one value, no containing list is necessary. Note that in the header, special values like 'none' include single quotes around them - do not include these quotes in your Python string, they will be added by the middleware.
If the keys or values are invalid, ImproperlyConfigured will be raised at instantiation time, or when processing a response. The current feature list is pulled from the JavaScript API with document.featurePolicy.allowedFeatures() on Chrome.
Examples
Disable geolocation from running in the current page and any iframe:
FEATURE_POLICY = {
'geolocation': 'none',
}
Allow autoplay from the current origin and iframes from https://archive.org:
FEATURE_POLICY = {
'autoplay': ['self', 'https://archive.org'],
}
History
Pending release
2.2.0 (2019-05-08)
Fix interpretation of ‘*’ by not automatically adding quotes.
Optimize header generation to reduce impact on every request.
2.1.0 (2019-04-28)
Tested on Django 2.2. No changes were needed for compatibility.
2.0.0 (2019-03-29)
Updated to the latest set of features from Chrome. ‘animations’, ‘image-compression’, and ‘max-downscaling-image’ have been removed, whilst ‘document-domain’, ‘font-display-late-swap’, ‘layout-animations’, ‘oversized-images’, ‘unoptimized-images’, and ‘wake-lock’ have been added. See more at https://github.com/w3c/webappsec-feature-policy/blob/master/features.md .
1.0.1 (2019-01-02)
Support for new ‘lazyload’ feature, per https://www.chromestatus.com/feature/5641405942726656.
1.0.0 (2018-10-24)
First release, supporting adding the header with a middleware.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-feature-policy-2.2.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | bbd04c8ab7cd5ea3bdb1fd8aecadaf53aabee5e074a7e5623702b92a67a13c1f |
|
MD5 | a2168b10f4ecf7f159af8219a219c5ba |
|
BLAKE2b-256 | edb6d7dfe7ba2c4c4ce55ce75822aadfce60c18bdf7843bfec52525303351cc3 |
Hashes for django_feature_policy-2.2.0-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 2b15e9c0de4f37c580eebccda2be1e71627ab5f6bb766d5dcabf53d3f7e7fa4d |
|
MD5 | dc06c3816c4083fb3072adb4e0d44d84 |
|
BLAKE2b-256 | a1848dce113c5c6bdd1248b1a43614fc980ea01101fb339efa44f91c3f72ecb7 |