Fixed #15727 -- Added Content Security Policy (CSP) support.

This initial work adds a pair of settings to configure specific CSP directives for enforcing or reporting policy violations, a new `django.middleware.csp.ContentSecurityPolicyMiddleware` to apply the appropriate headers to responses, and a context processor to support CSP nonces in templates for safely inlining assets. Relevant documentation has been added for the 6.0 release notes, security overview, a new how-to page, and a dedicated reference section. Thanks to the multiple reviewers for their precise and valuable feedback. Co-authored-by: Natalia <124304+nessita@users.noreply.github.com>
author: Rob Hudson <rob@cogit8.org> 2025-05-03 10:01:58 -0700
committer: nessita <124304+nessita@users.noreply.github.com> 2025-06-27 15:57:02 -0300
commit: d63241ebc7067fdebbaf704989b34fcd8f26bbe9 (patch)
tree: 07b5a5cb0c70c446f5f0fb9ad2834501fc3d6544 /django/conf
parent: 3f59711581bd22ebd0f13fb040b15b69c0eee21f (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/django/conf/global_settings.py b/django/conf/global_settings.py
index 672c46b88f..a414d1428c 100644
--- a/django/conf/global_settings.py
+++ b/django/conf/global_settings.py
@@ -663,6 +663,12 @@ SECURE_REFERRER_POLICY = "same-origin"
 SECURE_SSL_HOST = None
 SECURE_SSL_REDIRECT = False
 
+##################
+# CSP MIDDLEWARE #
+##################
+SECURE_CSP = {}
+SECURE_CSP_REPORT_ONLY = {}
+
 # RemovedInDjango70Warning: A transitional setting helpful in early adoption of
 # HTTPS as the default protocol in urlize and urlizetrunc when no protocol is
 # provided. Set to True to assume HTTPS during the Django 6.x release cycle.
author	Rob Hudson <rob@cogit8.org>	2025-05-03 10:01:58 -0700
committer	nessita <124304+nessita@users.noreply.github.com>	2025-06-27 15:57:02 -0300
commit	d63241ebc7067fdebbaf704989b34fcd8f26bbe9 (patch)
tree	07b5a5cb0c70c446f5f0fb9ad2834501fc3d6544 /django/conf
parent	3f59711581bd22ebd0f13fb040b15b69c0eee21f (diff)