Skip to content

feat: enable content security policy (CSP)#1961

Merged
mschoettle merged 6 commits intomainfrom
ms/django-6-csp
Mar 9, 2026
Merged

feat: enable content security policy (CSP)#1961
mschoettle merged 6 commits intomainfrom
ms/django-6-csp

Conversation

@mschoettle
Copy link
Member

@mschoettle mschoettle commented Mar 5, 2026
edited
Loading

Enables CSP which is a new feature in Django 6.

Builds on

@mschoettle mschoettle requested a review from staceybeard March 5, 2026 21:06
Base automatically changed from renovate/django-6.x to main March 6, 2026 01:05
staceybeard
staceybeard approved these changes Mar 9, 2026
View reviewed changes
Copy link
Member

@staceybeard staceybeard left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's good to enable CSP, but in my experience it causes a lot of new errors to show up, so I'd suggest keeping an eye out for problems in the next couple of weeks.

@mschoettle mschoettle marked this pull request as ready for review March 9, 2026 14:16
@mschoettle
Copy link
Member Author

mschoettle commented Mar 9, 2026

It's good to enable CSP, but in my experience it causes a lot of new errors to show up, so I'd suggest keeping an eye out for problems in the next couple of weeks.

Absolutely.
I tested with SECURE_CSP_REPORT_ONLY first and the amount of included JavaScript is fairly limited. That's how I found the problems with the embedded plotlyjs.

@mschoettle mschoettle merged commit 4f6c6b8 into main Mar 9, 2026
7 checks passed
@mschoettle mschoettle deleted the ms/django-6-csp branch March 9, 2026 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@staceybeard staceybeard staceybeard approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mschoettle @staceybeard