skip to navigation
skip to content

django-security 0.1.20b

A collection of tools to help secure a Django project.

Latest Version: 0.9.6

# Django-Security

This package offers a number of models, views, middlewares and forms to facilitate security hardening of Django applications.

# Full documentation

Automatically generated documentation of `django-security` is available on Read The Docs:

* [Django-security documentation](

# Installation

Install from Python packages repository:

pip install django-security

If you prefer the latest development version, install from
[django-security]( repository on GitHub:

git clone
cd django-security
sudo python install

Adding to Django application's `` file:


Middleware modules can be added to `MIDDLEWARE_CLASSES` list in settings file:


Unlike the modules listed above, some other modules **require** configuration settings,
fully described in [django-security documentation](
Brief description is provided below.

## Middleware

Provided middleware modules will modify web application's output and input and in most cases requires no
or minimum configuration.


<td><a href="">ContentNoSniff</a>
<td>Disable possibly insecure autodetection of MIME types in browsers. <em>Recommended.</em>

<td><a href="">ContentSecurityPolicyMiddleware</a>
<td>Send Content Security Policy (CSP) header in HTTP response. <em>Recommended,</em> requires careful tuning.

<td><a href="">DoNotTrackMiddleware</a>
<td>Read user browser's DoNotTrack preference and pass it to application. <em>Recommended,</em> requires implementation in views and templates.

<td><a href="">LoginRequiredMiddleware</a>
<td>Requires a user to be authenticated to view any page on the site that hasn’t been white listed.

<td><a href="">MandatoryPasswordChangeMiddleware</a>
<td>Redirects any request from an authenticated user to the password change form if that user’s password has expired.

<td><a href="">NoConfidentialCachingMiddleware</a>
<td>Adds No-Cache and No-Store headers to confidential pages.

<td><a href="">P3PPolicyMiddleware</a>
<td>Adds the HTTP header attribute specifying compact P3P policy.

<td><a href="">SessionExpiryPolicyMiddleware</a>
<td>Expire sessions on browser close, and on expiry times stored in the cookie itself.

<td><a href="">StrictTransportSecurityMiddleware</a>
<td>Enforce SSL/TLS connection and disable plaintext fall-back. <em>Recommended</em> for SSL/TLS sites.

<td><a href="">XFrameOptionsMiddleware</a>
<td>Disable framing of the website, mitigating Clickjacking attacks. <em>Recommended.</em>

<td><a href="">XssProtectMiddleware</a>
<td>Enforce browser's Cross Site Scripting protection. <em>Recommended.</em>


## Views


View that allows reception of Content Security Policy violation reports sent by browsers in response
to CSP header set by ``ContentSecurityPolicyMiddleware`. This should be used only if long term, continuous CSP report
analysis is required. For one time CSP setup [CspBuilder]( is much simpler.

This view can be configured to either log received reports or store them in database.
See [documentation]( for details.


A view decorator which ensures that the request being proccessed by view is an AJAX request. Example usage:

def myview(request):

## Models


Content Security Policy violation report object. Only makes sense if `ContentSecurityPolicyMiddleware` and `csp_report` view are used.
With this model, the reports can be then analysed in Django admin site.


Associate a password expiry date with a user.

## Logging

All `django-security` modules send important log messages to `security` facility. The application should configure a handler to receive them:

'loggers': {
'security': {
'handlers': ['console',],
'level': 'INFO',
'propagate': False,
'formatter': 'verbose',
File Type Py Version Uploaded on Size
django-security-0.1.20b.tar.gz (md5) Source 2013-11-26 19KB