Django Security Headers Example
Example project to show the implementation of various security headers in Django.
Requirements: Python 3.7+
Quick Start
- Clone the repository
- Create a new virtual environment:
python3 -m venv venv
- Activate your new virtual environment
- Install the dependencies:
pip install -r requirements.txt
- Run the development server:
./manage.py runserver
- Make an HTTP request to
localhost:8000
to view the headerscurl -I localhost:8000
Overview
Inside the config/settings
, you'll see a base.py
and a prod.py
. The base.py
is
intended as local development settings, and the prod.py
is intended as the production
settings.
In base.py
starting on line 115, you will find the start of the security header
configuration as well as links to the proper documentation.
prod.py
sets the security headers that depend on an HTTPS connection such as
Strict-Transport-Security
. Developing using localhost
does not come with a valid TLS
certificate for an HTTPS connection. Keeping all settings that depend on an HTTPS connection
in prod.py
allows us to develop locally and still deploy with the correct settings for
an HTTPS connection in production.
Python Packages
Django has built in support for a lot of the security headers. Additionally,
Django 3.0 adds support for
Referrer-Policy
. However, sending all of the headers requires a few additional packages
and a custom middleware.
- django-csp provides the
Content-Security-Policy
- django-feature-policy provides the
Feature-Policy
- The custom middleware in
django_security_headers_example/core/middleware.py
providesExpect-CT
andReferrer-Policy
for Django versions before 3.0