Merge pull request #260 from RockefellerArchiveCenter/development

Add SCP headers
RockefellerArchiveCenter · Dec 12, 2022 · 442c17b · 442c17b
2 parents 02a7724 + 3c53f87
commit 442c17b
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/request_broker/settings.py b/request_broker/settings.py
@@ -53,6 +53,7 @@
     'django.contrib.auth.middleware.AuthenticationMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'csp.middleware.CSPMiddleware',
 ]
 
 ROOT_URLCONF = 'request_broker.urls'
@@ -137,6 +138,11 @@
 CORS_ALLOWED_ORIGINS = config.DJANGO_CORS_ALLOWED_ORIGINS
 DIMES_BASEURL = config.DIMES_BASEURL
 
+# Content Security Policy
+CSP_IMG_SRC = ("'self'")
+CSP_STYLE_SRC = ("'self'", "'unsafe-inline'")
+CSP_SCRIPT_SRC = ("'self'", "'unsafe-inline'")
+
 ARCHIVESSPACE = {
     "baseurl": config.AS_BASEURL,
     "username": config.AS_USERNAME,

diff --git a/requirements.in b/requirements.in
@@ -1,6 +1,7 @@
 ArchivesSnake~=0.9
 Django~=4.0.7
 django-cors-headers~=3.12
+django-csp~=3.7
 djangorestframework~=3.13
 inflect~=5.6
 ordered-set~=4.1

diff --git a/requirements.txt b/requirements.txt
@@ -20,9 +20,12 @@ django==4.0.8
     # via
     #   -r requirements.in
     #   django-cors-headers
+    #   django-csp
     #   djangorestframework
 django-cors-headers==3.13.0
     # via -r requirements.in
+django-csp==3.7
+    # via -r requirements.in
 djangorestframework==3.14.0
     # via -r requirements.in
 idna==3.4