Add missing "Content-Security-Policy" header (#1171)

* add Content-Security-Policy header Signed-off-by: Akihiko Kuroda <akihikokuroda2020@gmail.com>
Qiskit · Jan 19, 2024 · dea441a · dea441a
1 parent 83b9a44
commit dea441a
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/gateway/main/settings.py b/gateway/main/settings.py
@@ -65,6 +65,7 @@
 ]
 
 MIDDLEWARE = [
+    "csp.middleware.CSPMiddleware",
     "allow_cidr.middleware.AllowCIDRMiddleware",
     "django_prometheus.middleware.PrometheusBeforeMiddleware",
     "django.middleware.security.SecurityMiddleware",
@@ -346,3 +347,9 @@
 QISKIT_IBM_URL = os.environ.get(
     "QISKIT_IBM_URL", "https://auth.quantum-computing.ibm.com/api"
 )
+
+# Content Security Policy
+CSP_DEFAULT_SRC = "'none'"
+CSP_SCRIPT_SRC = "'none'"
+CSP_FRAME_ANCESTORS = "'self'"
+CSP_OBJECT_SRC = "'self'"
diff --git a/gateway/requirements.txt b/gateway/requirements.txt
@@ -4,6 +4,7 @@ Markdown>=3.5.1
 django-allauth>=0.58.2
 django-allow-cidr>=0.7.1
 dj-rest-auth>=5.0.2
+django-csp>=3.7
 djangorestframework-simplejwt>=5.3.0
 django_prometheus>=2.3.1
 ray[default]>=2.9.0